Ten Requirements of a Network Visibility Architecture
Ten Requirements of a Network Visibility Architecture
Advanced cyber threats. An expanding perimeter. An exploding volume of traffic. If you're responsible for network security or performance management, you are well aware of the challenges you face. Addressing these issues requires an unobstructed view of what’s really happening on the network. Here are ten ways a network visibility architecture can help you keep your defenses strong and resolve performance issues more quickly.
The role of a visibility architecture is straight-forward in theory: provide security appliances and monitoring tools with all of the data they need to protect and optimize your network. But as traffic volume grows and the number of tools increase, your visibility solution may not have the power to keep up. It may start to drop packets, leaving you exposed. The first requirement is to make sure your architecture can support the tools you want to use and the actual volume of traffic you expect to receive without data loss. Don't forget to ask vendors to set up a proof-of-concept to back up their claims.
Organizations today are complex entities with connections that extend far beyond the data center. Customers are served on mobile devices and core business functions are obtained via the cloud. Unfortunately, a loss of visibility to data flowing between virtual machines or cloud-based resources is common. You need to make sure there are no blind spots to virtual traffic. The second requirement is to ensure visibility to all virtual traffic by deploying solutions specifically engineered for virtual environments, not retrofitted solutions.
When you deploy a security appliance like an IPS inline on the network to watch for cyberattacks, you also introduce a potential point of failure on that segment. The third requirement is to protect your organization from unexpected network outages by deploying a bypass switch in front of any inline appliance. The bypass makes sure the appliance is functioning and automatically passes traffic around the appliance if it’s unavailable. A single bypass can support multiple appliances and redundant devices to enable failover. Some bypasses can automatically detect when an appliance comes back online as well, to restore normal operations as quickly as possible.
- Maintenance without downtime
Some security appliances now have an embedded bypass function, but an external bypass switch can be used to proactively move traffic around an appliance, providing additional flexibility. The fourth requirement is the capability to proactively take inline security appliances offline for maintenance or troubleshooting without impacting network availability. Downtime can be costly and jeopardize customer satisfaction. An external bypass makes it easier for security engineers to update with the latest releases, as they no longer have to request and wait for an approved network maintenance window.
When you use a network packet broker (sometimes referred to as a visibility engine) in your visibility architecture, you have the ability to aggregate traffic from multiple network segments and prepare it to be processed by your network security and performance monitoring tools. This preparation can include simple deduplication of packets appearing on multiple segments, as well as more extensive tasks such as the masking of sensitive data (like social security numbers), stripping away of data that is not needed, or filtering of packets based on flexibly-defined criteria. Some packet brokers do not have the power to perform multiple tasks at fast-enough speeds. The fifth requirement is to make sure the visibility engine you choose has the processing power and speed you need. Tools are expensive and you don’t want to have to add tool capacity to handle non-core processing tasks that can be done more cost-efficiently by a high-performance network packet broker.
- Non-disruptive scalability
When the time comes to add capacity to a security appliance or network monitoring tool, you want to minimize network disruption and maintain security monitoring while you scale. A network packet broker can use automatic load balancing to spread the workload equally among all available tools in a designated group. The sixth requirement is a capability to automatically detect new tools and allocate traffic without manual intervention or tool downtime.
The ability to identify traffic by application, user, or geolocation makes it easier to isolate problems and detect suspicious behavior. Early detection can reduce the loss of sensitive data and reduce the cost of breaches. The seventh requirement is to choose a visibility solution with the ability to see deep inside network packets and identify information that can accelerate breach detection, troubleshooting, and problem resolution.
With redundancy of tools, external bypass switches, and network packet brokers, your network security and monitoring architecture can recover from any component failure. But every second it takes to complete the failover adds to your security risk. If you need the fastest possible recovery in your organization, the eighth requirement is to use packet brokers that can be configured in active-active mode with complete synchronization, sharing no more than ½ the workload in regular processing. If either NPB stops responding, the workload is automatically shifted to the other with no wait for device activation, achieving near-instant recovery.
Managing your visibility solution isn’t difficult when you have only a few data sources and a couple of tools. But what if you have hundreds of data sources and dozens of tools? Management can quickly become complicated and time-consuming, as well as prone to mistakes and errors that you may not uncover for some time. By then it might be too late. That’s why the ninth requirement is a centralized, graphical, drag-and-drop interface that simplifies configuration and maintenance. With complete granular control of your data, and the ability to create and update filters easily, you can respond quickly as the organization’s needs change.
The number of security alerts can easily overwhelm your staff. Many teams are unable to investigate all the alerts they receive, which defeats the purpose of the alerts. Organizations that specialize in understanding the source of cyber threats are making the information they develop more accessible and actionable by offering solutions that filter out traffic from sources associated with past attacks. This reduces the number of alerts that need to be investigated and helps you focus on newer and emerging threats. The tenth and final requirement is to integrate a threat intelligence solution that eliminates proven threats and lets your staff focus on investigating unknown security alerts.
Consider these requirements as you work to strengthen your network security and monitoring architecture.