Preventing Blind Spots

0

Network Visibility Is Critical for Today’s Networks —

It doesn’t matter how much you have spent on your network security, performance, and analytics tools — they’re only as good as the data they see. Cloud, edge, SD-WAN, and virtualization, may make it easier to increase agility and reduce costs, but these things also make it harder for your tools to get the information they need. 

Your network, applications, and data, have never been more critical to your bottom line. However, between blind spots and the risk of dropped packets, those things have never been so challenging to manage and protect. 

When it comes to your network monitoring tools, you need to see the whole picture — not just a fraction of it. Otherwise, you risk potentially disastrous consequences such as: 

  • overlooking evidence of network compromise
  • running up costs because of unexpected network outages
  • exposing your organization to legal issues as the result of a data breach
  • delaying time to market with lengthy network troubleshooting
  • decreasing competitive advantage due to latency and poor user experience 

That’s why it’s important you deploy the right network visibility tools. By sending the right data to the right tools at the right time, you can be confident your network and security operations teams never miss a thing. 

Sounds easy enough, right? However, there are 3 things to remember when you choose a tool to help you do it:

1. Monitoring Equipment Performance Affects Network Visibility 

A high-performing network demands an equally powerful monitoring solution. That means you need the ability to process data at line rate to avoid dropped packets, missing data, and network blind spots. Otherwise, network latency indicators and performance degradation can occur and will become costly. 

This performance level is becoming increasingly crucial as core network speeds move upwards of 400 GE and 800 GE. So, naturally, you need a monitoring solution that can natively support these speeds and the volume of traffic that comes with them. 

Unfortunately, some tools just aren’t up to the task. Some network packet brokers (NPBs) cannot support line rate performance when multiple features are active — like performing deduplication plus Cisco NetFlow or SSL decryption within a single module. 

However, superior solutions exist, enabling you to achieve complete visibility without compromise. For instance, NPBs that use non-blocking architectures, such as field-programmable gate array (FPGA) hardware acceleration, are purpose-built to simultaneously support multiple filers/functions and still run at line rate. These NPBs eliminate the need for risky performance compromises and trade-offs when utilizing core functions like deduplication, packet slicing, and protocol header stripping.

2. Missing Data Jeopardizes Network Security 

The only thing worse than missing data is not knowing that it’s missing in the first place. And while most network architects will agree it is essential their monitoring tools receive all the packets they need, far fewer are confident that their tools are receiving all that data. 

Missing data is bad enough, but failure to report the loss is unacceptable. This is a critical concern for security teams especially because so many breaches often go undetected. Couple that with critical blind spots or dropped packets, and your security tools can easily register false positives or miss real positive indicators of a breach. 

For example, many security tools require “session stickiness” to evaluate risk and analyze potential threats. 

However, there are more pieces to the puzzle and without all the appropriate data, 2 outcomes are likely to occur — both of which are non-ideal:

  • Specific tools, such as intrusion prevention systems (IPS) and other inline security analysis tools, do not receive the data they need to close the session. If too many sessions remain open, the tools’ memory cannot track additional sessions. In some cases, these tools will shift from an “inline blocking mode” to an “out-of-band detection mode”, in which they send a trouble alert but ignore additional sessions, allowing potentially dangerous traffic to pass downstream without inspection.
  • Other security tools, such as web application firewalls (WAF), ignore data when sessions do not end. They allow the data, which could contain malware or other security threats, to simply pass through without warning. 

In addition, missing data can help hackers cover their tracks. For instance, in the event of a distributed denial-of-service (DDoS) attack, the targeted network equipment could get loaded down — bringing security tools and monitoring equipment down along with them. In this circumstance, the normal expectation is an NPB would forward all traffic to the network’s security tools. However, if it were to start dropping packets, then the data loss could hide the attacker as they probe the network for weaknesses. 

3. Complete Visibility Enables Faster Troubleshooting 

A complete copy of all your monitoring data isn’t just faster and more secure. It also enables you to perform root cause analysis faster. However, the corollary is also true. With dropped packets, you do not know what data is missing without extensive evaluation — leading to longer troubleshooting cycles, ongoing network issues, poor quality of experience, and lower customer satisfaction ratings. 

Prolonged troubleshooting isn’t the only concern for IT, however. Missing data will appear identical to packets dropped over the network, generating false-positive results. In such circumstances, IT administrators or a network operation center (NOC) may end up going through lengthy troubleshooting workflows only to conclude the network is dropping packets. 

This is problematic for 2 reasons:

  • The team charged with solving the problem declares their investigative efforts a success without actually identifying anything going wrong over the actual network. 
  • The organization spends considerable time, effort, and money trying to fix the packet loss issue because they have assumed it is a network issue. For example, an initial remedial action might be to increase the bandwidth over the observed link. After a certain amount of time and effort, they will discover that this action did not solve anything. In fact, the incorrect conclusion turned a single problem into two problems. The initial problem is still unsolved, and mean time to repair (MTTR) metrics are going in the wrong direction. 

Delivering Lossless Visibility 

There are several ways to prevent the loss of monitoring data on your network. 

First, validate existing and future NPB solutions with a traffic generator at wire speed with filters and features turned on. Be sure the product you are using can support running all features together — at full line rate. 

Secondly, you should consider solutions that use a non-blocking architecture at minimum — and FPGA hardware acceleration where possible. It is important to be able to run all those advanced NPB features at line rate. FPGAs are purpose-built microprocessors that are programmable to focus on specialized activities. This feature gives them a considerable performance advantage over CPUs, especially for advanced feature processing capabilities — such as packet deduplication, protocol header stripping, packet trimming, data masking, and
time stamping. 

Finally, you should make sure your monitoring solution has a GUI that is easy to use. Point-and-click GUIs are intuitive and feature drag-and-drop technology. Command line interfaces (CLI) may offer flexibility, but they’re also error-prone. It only takes a single errant line of code to introduce performance, security, and troubleshooting errors. With an intuitive drag-and-drop GUI, you can
eliminate this common error source.

Network visibility tools are not created equal. Technology continues evolving, and network and security requirements will only grow more stringent. Clearly, your network, users, and security,
are too important to leave to chance. Don’t settle for compromised visibility, vulnerable blind spots, and anything less than the full picture. 

If you’re interested in learning more, see Keysight’s full line of network visibility products — with a wide array of lossless network packet brokers, visibility intelligence, bypass switches, taps, virtualized solutions, and more.

For more information, visit https://www.keysight.com and https://www.keysight.com/us/en/products/network-visibility.html. Follow us on Twitter @Keysight.

Like this Article?

Subscribe to ISE magazine and start receiving your FREE monthly copy today!

Related

About Author

Mike Hodge is a Product Marketer at Keysight. He spent the last decade mastering the art of high-tech storytelling, using his technical background to convert complex concepts into compelling content that inspires audiences and incites action. For more information, visit https://www.keysight.com and https://www.keysight.com/us/en/products/network-visibility.html. Follow us on Twitter @Keysight.

Comments are closed.