Lora O'Haver
Senior Solutions Marketing Manager
Blog

Take the Fear Out of Real-Time Security Monitoring

October 17, 2016 by Lora O'Haver

Don’t let fear of a network outage prevent you from taking an aggressive stance against today’s cyber threats. Your security strategy should combine rigorous analysis and detective work with threat prevention and security intelligence. The stakes are too high to assume you can just resolve a breach when it occurs. Multi-layered attacks require multi-layered defenses.

It’s true that introducing any device directly in the path of live network traffic also introduces a new point of failure, and could (in the worst case) cause a network outage or (at the very least) complicate the troubleshooting process. Without appropriate safeguards, security appliances deployed inline can bring down the network if they malfunction due to a configuration error, become overloaded and crash, lose power, or suffer a software failure.

If you’re a security professional, you don’t want to be called into the CEO’s office to explain how the expensive monitoring appliance, that you begged for the budget to purchase, was actually the cause of a network outage that lasted nearly an hour, causing frustration to customers and employees alike. And if you’re a network professional, you don’t want to deal with continual requests from the security team to maintain and update the budget-sucking security devices that stand in the way of delivering frictionless application availability. 

Fortunately, it’s not difficult, or expensive, to achieve resilient inline security monitoring AND protect network and application availability.

Avoiding the worst-case scenario 

Today, real-time security monitoring can be done without putting your network at risk—so you don’t have to worry about the benefits of data inspection being erased by the costs of an unexpected outage. As in any robust system, your solution should address potential failure of the monitoring device and provide for the fastest possible recovery. Most bypass switches use heartbeat technology to automatically and continually send very small packets to each connected device, to check for a response. If the heartbeat packet is returned, all is well, and traffic is forwarded to the security appliance for inspection as planned. Should any packet not be returned, the bypass automatically executes a back-up strategy, to keep traffic moving and applications responding. Ixia’s iBypass also provides an additional function: it continues to send heartbeats to devices that have stopped responding, every few microseconds, to check for device recovery. Speed is important, since delay can cause packets to be dropped. Once a heartbeat is detected, the original traffic path is restored, with no manual intervention. This can save your staff from having to stop what they’re doing and respond to an alert.

Be ready for the unexpected

Many security appliances can be purchased with internal bypass functionality that allows traffic to pass through the device if it fails for any reason. This is good—as it can prevent an unexpected network outage, but it does not cover all of the situations in which you might want to direct traffic around a device. What if you need to physically remove a monitoring device from the production network for replacement, upgrade, or isolation during troubleshooting? The effectiveness of your security monitoring tools are highly dependent on your ability to keep them updated and current. Threats are constantly evolving and monitoring appliances are too. You will need to update and upgrade appliance hardware and software frequently. Anything that discourages you from making timely updates will reduce the effectiveness of your security. Only an external bypass will ensure uptime during maintenance and troubleshooting.

Define an alternative “escape” route

New technologies are increasing the capabilities of bypass switches to make them a better value. First generation bypasses were designed with a single active port to connect a monitoring tool. This meant traffic was either passed to the tool or bypassed around it, and on through the network without inspection taking place. While not ideal, it was assumed the tool would be restored fairly quickly to limit exposure. If you wanted to have a backup tool available to pick up the slack and take over monitoring, a second bypass was required. The new generation of bypass switches offers a secondary path on the same switch. This means that if your primary monitoring device fails, a next generation bypass can automatically switch traffic to a second device for inspection, eliminating the need for a second bypass. This is referred to as an active-active bypass and adds significant value to the basic bypass functionality.

Protect your security analysts from deployment hassle

Even a valuable component, if it adds complexity or another management layer, can be difficult to justify. If you don’t automatically think about the management interface for every infrastructure component you buy, you should. Don’t settle for clunky interfaces that require specialized knowledge or pre-deployment training—particularly if you’ll be expected to pay for it. Interfaces should be graphical and configuration changes should be drag-and-drop easy. For this reason, Ixia works with providers of commonly-used security appliances (such as Cisco, FireEye, and Imperva) to provide single-click configuration from a drop-down menu. Physically connect the bypass to your appliance, select the appliance name from the list of preconfigured options, and the bypass automatically begins sending and receiving heartbeats to confirm operability.

Don’t let fear of network failure keep you from deploying security appliances inline. Look for solutions with the following key differentiators:

  1. Self-healing, negative heartbeats
  2. Zero-downtime maintenance
  3. Active-active monitoring ports
  4. One-click tool configuration

Learn more about building a resilient security architecture in this Ixia white paper.