Jeff Harris
Chief Marketing Officer
Blog

Which Network Packet Brokers do Hackers Prefer?

January 29, 2016 by Jeff Harris

Most hackers would prefer that you use an ineffective network packet broker to deliver packet data to your security tools. Perhaps one that drops lots of packets while filtering mirrored network traffic before it gets to your critical security tools like intrusion detection systems (IDS). Why do I so rapidly arrive at this conclusion? Let’s look at a simple example.

Let’s say you have an IDS in your network passively monitoring for malicious security events. This intrusion detection system is one of the more powerful tools in your security arsenal for maintaining the security of internal intellectual property, or employees’, partners’ and even customers’ personally identifiable information (PII). Your security team takes great care to follow-up diligently on each and every security alert generated because we’ve learned valuable lessons from companies like Target. Many companies have had clear indications of a breach from their IDS alerts, but failed to investigate all the alerts in a timely fashion.

Also, you know that the more network traffic that the IDS inspects, the more effective it becomes at identifying threats. So you use network taps in a variety of critical points in the network to create a strong layered security posture and different isolated security zones in the network.

Eventually as your traffic grows, your IDS solution gets close to reaching its full capacity. Your team knows that one popular solution to improve the efficiency of security tools is to use a network packet broker to aggregate all mirrored traffic from the network taps, and use the filtering and deduplication capabilities to minimize the traffic that the IDS products need to inspect. That’s great! No sense inspecting the same packets multiple times.

Network packet brokers can indeed greatly improve the overall efficiency of monitoring and security tools.

But what if the filtering and deduplication of mirrored packet data doesn’t work right?

It could completely undermine your security monitoring.

And how would you even know?

Let’s look at a simple example. Assume we tap two network segments and send the mirrored traffic from both to an IDS for inspection. In this example, each network tap sends exactly 10,000 packets of traffic to the IDS. The IDS then receives two perfectly identical flows of 10,000 packets. As a result, the IDS has to inspect all 20,000 packets! But, if we send the two perfectly identical flows of 10,000 packets each through a network packet broker with deduplication enabled, the network packet broker delivers only the original 10,000 packets to the IDS for inspection. This frees up a capacity on the IDS and allows this costly solution to perform more efficiently.

But what if your network packet broker received the two perfectly identical packet flows of 10,000 packets and only sent 2,400 packets out after deduplication to your IDS! Something obviously went wrong, but what? You lost 7,600 packets of the original traffic! Your IDS is now blind to a huge amount of traffic passing through your network, which gives hackers the perfect opportunity to sneak into your network.

The old adage is certainly true in this case: “You Can’t Secure What You Can’t See.”

Keep in mind that network packet brokers are still the most intelligent and effective way of gaining visibility across network environments, ensuring that security and performance monitoring tools have efficient access to 100% of enterprise information – providing that they do not drop data while aggregating packets.

So which network packet broker do hackers prefer? One that delivers all the appropriate packets to security tools, or one that drops packets while performing deduplication and filtering operations? Don’t give the hackers an open door. When looking to implement a new network packet broker be sure to ask serious questions about its effectiveness, such as:

  • How does your solution trim data packets and eliminate duplicate ones?
  • How does it carry out these functions without introducing any additional packet loss?
  • How does it perform under varying network loads?

Don’t rely on vendor claims and data sheets, be sure to test the solutions using known loads prior to making a purchase decision. Here’s a Tolly Test Report demonstrating how they recently tested the deduplication function of two competitive network packet brokers with wildly different results. Or ask your vendor to prove the proper operation of their network packet broker during evaluations.

Clarity on these issues will help to guarantee the selection of a truly efficient solution: one that ensures network blind spots are eliminated, and potential threats can be seen – and secured.

To learn more about Ixia network packet brokers click here.