Keith Bromley
Sr. Manager, Product Marketing at Ixia

Top Six Ways to Strengthen a Security Architecture

March 20, 2018 by Keith Bromley

Network security is one of, if not THE, most important topic for IT professionals. This is true for the security engineer, the CISO, CIO, and even the CEO.

The question though is, “What can you really do to improve it?” The answer is to strengthen your deployment of inline security tools. In terms of regulatory compliance for PCI-DSS and HIPAA, inline security tool deployment may not be critical, but it is imperative for a security architecture where you are trying to maximize your defenses.

Here are six of the top activities IT professionals can implement to improve their company’s inline security architecture:

1.   Insert external bypass switches between the network and security tools to improve network availability and reliability

2.   Deploy threat intelligence gateways at the entrance/exit of your network to reduce false positive security alerts

3.   Offload SSL decryption from existing security devices (like firewalls, WAFs, etc.) to network packet brokers or purpose-built devices to reduce latency and increase the efficiency of your security tools

4.   Perform serial tool chaining for suspect data to improve the data inspection process

5.   Insert network packet brokers to improve security device availability by using either n+1 or high availability technology

6.   Perform superior network security testing and simulation with a purpose built solution

Bypass switches are typically the first good starting point to improving network security and reliability. While direct deployment of inline security tools can create an improved line of defense, these tools can also result in single points of failure, if they falter. An internal bypass within the security tool can minimize this risk but it could create another point of service interruption, should the device need to be removed at a later date.

An external bypass switch has the benefit of the internal bypass but it eliminates the pain of direct deployments of inline tools because it provides both automatic and on-demand fail-over capabilities with a barely perceptible impact (milliseconds) to the network. Since the switch always stays in the network, it can be placed into bypass mode as needed enabling security and monitoring devices to be added, removed, or upgraded as needed.

Threat intelligence gateways are a good second strategy because they eliminate traffic to/from known bad IP addresses. Even with firewalls, IPSs, and a wide array of security tools in place, businesses still miss clues and suffer major breaches every day. Why? Because the volume of alerts generated puts a huge processing drain on the security team, as well as the infrastructure itself. A threat intelligence gateway automatically helps filter the amount of traffic entering a network that needs to be analyzed. Some enterprises have seen a 30% or more reduction in IPS false positive alerts by removing known bad traffic, enabling network security teams to focus on the remaining potential threats.

While many security tools (firewall, WAF, IPS, etc.) include the ability to decrypt traffic so incoming data can be analyzed for security purposes, they also impact CPU performance and can dramatically slow (up to 80%) a security appliance’s processing capability. This is because the processors for those devices are performing other tasks like analyzing data packets for security threats, such as cross-site scripting (XSS), SQL injection, hidden malware, and security threats. SSL decryption can be a significant burden, reducing the efficiency of security tools, which increases costs if you want network data inspected. Because of the performance hit for data decryption, many security teams turn off this feature on security tools, which creates a potentially serious security risk.

One solution is to use a network packet broker (NPB) to either perform the data decryption itself or offload the function to a separate decryption device. Once the data is decrypted, the NPB can forward that data to one or more security tool for analysis.

Another tactic to consider is serial data chaining, which enhances the inspection of data by using pre-set sequences for data analysis that route suspect data serially to multiple security tools for additional security inspections and resolution. This ensures that actions occur in the proper sequence and are not overlooked. Security and monitoring tools can be linked together via software provisioning within an NPB to control the flow of data through the selected services. This allows you to effectively automate the inspection process to increase alert inspection and follow up.

The fifth way to strengthen a security architecture is to improve the availability of security devices by inserting an NPB that supports extensive survivability. A good NPB will have two options. The first is commonly referred to as n+1 and deployed in a load sharing configuration. This is where you have one additional security appliance in place should one of the primary tools (IPS, WAF, etc.) fail. However, instead of standing by in an idle fashion, the device is actually used in conjunction with the others and shares the normal processing load. If one device fails, the total data load can still be processed by the remaining devices. Once the failed tool is back online, the remaining tools return to a load sharing configuration.

While this can be accomplished without an NPB, it is often a complicated process with load balancers and other efforts. An NPB has the functionality programmed within it to handle load balancing as well as heartbeat messages to detect when a tool has failed and when it is available, resulting in a cost effective self-healing architecture. A more robust, but also more expensive option, is to implement high availability. This is an n+n option where there is a completely redundant set of equipment. Despite the cost, this might be the best option, depending upon business needs.

The final thing to consider is to test your security tools in a lab before you deploy them to truly understand how they will perform. Most vendors test their tools in ideal lab situations, not in real-world situations. The proper malware and DDOS simulation solution allows you to create realistic traffic that can put those tools to the test to see how they will actually respond. You can even customize traffic mixes and other parameters to better simulate your environment. After initial deployment into your production network, you can still test the equipment in your lab at a later date to perform “what-if” scenarios and validate new software updates to your security tools. This helps prevent self-inflicted wounds from new updates and software rollouts that may contain a security flaw. You can even run simulations to see how a specific attack works and analyze the specific attack pattern to understand better how specific threats behave and how to defeat them within your network.

Utilizing these six use cases can significantly improve an inline security architecture, including the reliability of the solution, as well as the ability to detect and prevent/limit security threats. You can also check out this ebook The Definitive Guide to Visibility Use Cases and a podcast from Keysight and FireEye to get more tips on how to strengthen your security architecture.