Keith Bromley, Senior Solutions Marketing Manager, Ixia discusses the importance of having a strong security architecture. He talks about the strategy a CISO or CIO will need to deploy to keep the IT infrastructure completely protected.
Improving The Security Architecture
Network security is one of, if not THE, most important topic for IT professionals. This is true for the security engineer, the CISO, CIO, and even the CEO. The question is, “What can you really do to improve it?” The answer is to strengthen your deployment of inline security tools. In terms of regulatory compliance for PCI-DSS and HIPAA, inline security tool deployment may not be critical, but it is imperative for a security architecture where you are trying to maximize your defences.
Here are five of the top activities IT professionals can implement to improve their company’s inline security architecture:
- Insert external bypass switches between the network and security tools to improve network availability and reliability
- Deploy threat intelligence gateways at the entrance/exit of your network to reduce false positive security alerts
- Offload SSL decryption from existing security devices (like firewalls, WAFs, etc.) to network packet brokers or purpose-built devices to reduce latency and increase the efficiency of your security tools
- Perform serial tool chaining for suspect data to improve the data inspection process
- Insert network packet brokers to improve security device availability by using either n+1 or high availability technology
Beginning The Process
Bypass switches are typically the first good starting point to improving network security and reliability. While direct deployment of inline security tools can create an improved line of defence, these tools can also result in single points of failure, if they falter. An internal bypass within the security tool can minimize this risk but it could create another point of service interruption, should the device need to be removed at a later date.
An external bypass switch has the benefit of the internal bypass but it eliminates the pain of direct deployments of inline tools because it provides both automatic and on-demand fail-over capabilities with a barely perceptible impact (milliseconds) to the network. Since the switch always stays in the network, it can be placed into bypass mode as needed enabling security and monitoring devices to be added, removed, or upgraded as needed.
Look Into Threat Intelligence Gateways
Threat intelligence gateways are a good second strategy because they eliminate traffic to/from known bad IP addresses. Even with firewalls, IPSs, and a wide array of security tools in place, businesses still miss clues and suffer major breaches every day. Why? Because the volume of alerts generated puts a huge processing drain on the security team, as well as the infrastructure itself. A threat intelligence gateway automatically helps filter the amount of traffic entering a network that needs to be analyzed. Some enterprises have seen a 30% or more reduction in IPS false positive alerts by removing known bad traffic, enabling network security teams to focus on the remaining potential threats.
While many security tools (firewall, WAF, IPS, etc.) include the ability to decrypt traffic so incoming data can be analyzed for security purposes, they also impact CPU performance and can dramatically slow (up to 80%) a security appliance’s processing capability. This is because the processors for those devices are performing other tasks like analyzing data packets for security threats, such as cross-site scripting (XSS), SQL injection, hidden malware, and security threats. SSL decryption can be a significant burden, reducing the efficiency of security tools, which increases costs if you want network data inspected. Because of the performance hit for data decryption, many security teams turn off this feature on security tools, which creates a potentially serious security risk.
Network Packet Broker For Decryption
One solution is to use a network packet broker (NPB) to either perform the data decryption itself or offload the function to a separate decryption device. Once the data is decrypted, the NPB can forward that data to one or more security tool for analysis.
Another tactic to consider is serial data chaining, which enhances the inspection of data by using pre-set sequences for data analysis that route suspect data serially to multiple security tools for additional security inspections and resolution. This ensures that actions occur in the proper sequence and are not overlooked. Security and monitoring tools can be linked together via software provisioning within an NPB to control the flow of data through the selected services. This allows you to effectively automate the inspection process to increase alert inspection and follow up.
Another way to strengthen a security architecture is to improve the availability of security devices by inserting an NPB that supports extensive survivability. A good NPB will have two options. The first is commonly referred to as n+1 and deployed in a load sharing configuration. This is where you have one additional security appliance in place should one of the primary tools (IPS, WAF, etc.) fail. However, instead of standing by in an idle fashion, the device is actually used in conjunction with the others and shares the normal processing load. If one device fails, the total data load can still be processed by the remaining devices. Once the failed tool is back online, the remaining tools return to a load sharing configuration.
While this can be accomplished without an NPB, it is often a complicated process with load balancers and other efforts. An NPB has the functionality programmed within it to handle load balancing as well as heartbeat messages to detect when a tool has failed and when it is available, resulting in a cost effective self-healing architecture. A more robust, but also more expensive option, is to implement high availability. This is an n+n option where there is a completely redundant set of equipment. Despite the cost, this might be the best option, depending upon business needs.
Utilizing these five use cases can significantly improve an inline security architecture, including the reliability of the solution, as well as the ability to actually detect and prevent/limit security threats.