Insurance is a way of life, right? We insure our lives, our cars, our homes, and even mundane things like our cell phones. In short, we insure those things that are dear to us and that we cannot do without. So how about your network? If you’re a network engineer the network is pretty dear to you, and your company certainly cannot do without it, so it seems like a good candidate for insurance too. But what kind of insurance do you need? What is it that you need to protect most about your network?
Last year was labelled the “Year of the Hack,” by IT security professionals, with an onslaught of breaches that were financially and politically motivated. This year seems to be following in those same footsteps, with the latest mega-breach of Global Payments in April 2012 with 1.5 million accounts compromised. And on the political front, just do a Google search on cyber crime and see how worried everyone is about cyber criminals targeting the Summer Olympics in London.
Current protections are not enough. Although current security systems certainly protect against a significant number of attacks, they obviously don’t protect against all attacks. So let’s buy some insurance!
Intrusion Detection and Prevention Systems (IDS/IPS) Are Not Enough!
One of the most prevalent technologies in use today to protect networks from cyber attacks is an IDS/IPS. An IDS is an appliance or software application that monitors networks and/or systems for malicious activity or policy violations. If the system detects something anomalous, it will send alarms and alerts, or report to a third-party management system. An IDS identifies suspected intrusions on signature-based, statistical anomaly based, and/or stateful protocol analysis detection. The IDS is a passive system that looks at traffic as it traverses the network, but cannot do anything to actually stop the intrusion.
The IPS is the active part of the solution. It either works alongside, or has embedded IDS capabilities. An IPS is connected in line with the network, and actively prevents intrusions by dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.
In order for an IDS/IPS to be effective, it must have some idea of the attack signature before it can defend against it. Fortunately most systems come pre-configured with comprehensive intrusion definitions (like anti-virus software definitions) that are updated frequently by the manufacturer. But traffic is different on every network, so for an IDS to limit any false positives, it needs frequent tuning to adjust it to your particular network characteristics. And remember that even with all these definitions and the ongoing tuning, attacks still occur. Over 90% of the respondents to the Ponemon Institute’s Survey of IT and IT Security Practitioners (June 2011) reported at least one breach in the past year, with just about 70% reporting 2 or more attacks within the same period.
Although an IDS/IPS might be an integral part of your security strategy, it should not be the whole security strategy. Networks remain especially vulnerable to new forms of attacks, like zero day attacks, as it’s impossible to have a signature for an attack that hasn’t been seen yet. In addition, there are 120K malware incidents identified per day by these tools, with 5 – 20 new malware strains missed every day. With all these new threats, not to mention the highly targeted Advanced Persistent Threats, IDS/IPS is simply incapable of protecting your network 100% of the time.
Network Forensics – Your Network Insurance Policy
Network Forensics is a relatively new area in network monitoring. The basic idea is to constantly record all network traffic, at the packet level, and store this information for detailed, near-real-time analysis. It’s very similar to the feature in your DVR where there’s always 30 minutes of recorded data for the last channel the box was set to. Network Forensics appliances, often called Network Recorders, have two unique characteristics – the ability to capture network data at very high rates (often greater than 10Gbps) and as much storage as possible. A single appliance is typically capable of monitoring a full 10G backbone, so a little can go a long way.
The primary benefit of a Network Forensics solution is that you always have a recording of what has transpired on the network. This has many applications, with security and compliance (whether PCI, SOX, HIPPA, human resources, etc.) being two of the most common applications. No one wants to see their network breached, but the odds are definitely not in your favor. A hacker may elude your firewall and your IDS/IPS solution, but your Network Forensics solution will record the entire incident. You can then “rewind” your network and see the who, what, when, where and why of the attack, almost as it is happening, allowing you to minimize the damage, equipping you with all the information you need to report and manage the attack and providing you with valuable information for tuning your IDS/IPS so the attack is prevented in the future.
When employed on a 10G network, a Network Forensics solution will be asked to store a tremendous amount of data very quickly. Here are some rules of thumb for determining how much network history can be stored.
- @1Gbps steady-state traffic (assuming no storage overhead):
2.9 days in a 32TB appliance
7.0 hours in a 32TB appliance
To assist in storage, many solutions also provide connectivity to external storage solutions, like NAS or SAN, which can significantly increase the amount of network history that can be stored. Remember, the goal of a Network Forensics solution is to rewind recent network history, not save a complete archive of each and every network packet forever. Typically 2 – 3 days of storage is sufficient, since most issues that need detailed analysis will come to your attention within that time frame.
In addition to storage, real-time display of captured data and an easy-to-use UI for performing forensics analysis are critical elements of any Network Forensics solution. Look for a solution that provides the most real-time data for display, as this may help you identify problems as they’re happening. Some systems even support real-time VoIP reporting which is very useful if the system is being used to monitor and troubleshoot overall network performance. Performing a forensics analysis is the basic reason for having the solution in place to begin with, so make sure your solution of choice is very easy to use, and has the capability to easily target very specific data sets. Keep in mind that one minute of stored data at 10Gbps is almost 80GBytes of packet data, so you definitely need to filter down that data before performing any useful analysis.
Network Forensics is network integrity insurance. As with most insurance policies, you hope you don’t need to use it. But unlike traditional insurance, you don’t need to wait for a catastrophic event to use your Network Forensics insurance policy. You can use it daily to rewind network data for all types of analysis, from overall network and application performance to transaction verification and policy compliance, making it one of the most useful insurance policies you’ll ever purchase.
Author Profile - Jay Botelho is the Director of Product Management at WildPackets, Inc., a leading network analysis solutions provider for networks of all sizes and topologies. Jay holds an MSEE, and is an industry veteran with over 25 years of experience in product management, product marketing, program management and complex analysis. From the first mobile computers developed by GRiD Systems to modern day network infrastructure systems, Jay has been instrumental in setting corporate direction, specifying requirements for industry-leading hardware and software products, and growing product sales through targeted product marketing.