Deploying an Inline Security Architecture: Key Considerations

Introduction

The key to successful inline security monitoring is to enable traffic inspection and detection without impacting network and application availability. If one of your security tools becomes congested or fails, you need to keep traffic moving, continue monitoring, and prevent a network or application outage. Some organisations deploy their inline security appliances behind the firewall in a serial configuration. With this design, if an appliance becomes congested or fails, traffic stops. Redundant network paths can help avoid this, but they require twice the number of tools. Ensuring both paths can handle the full volume of traffic is expensive and leaves tools on the inactive path under- utilised during normal operations.

To address these issues, many organisations are deploying an underlying security architecture that can ensure failsafe operation of key security appliances and solutions, and also help these solutions operate more efficiently. We can look at key functions of a high-performing security architecture - one that protects network availability and ensures continued inspection of everything crossing your network.

Deploying bypass switches and Network Packet Brokers NPB together in your security architecture enables untrusted traffic from the internet (in red-lined) to be passed by the bypass switch to an NPB which: aggregates, filters, and load balances the traffic across the security tools and solutions you would routinely use to monitor for threats and attacks. After inspection is complete, the now trusted traffic (in green) passes into the enterprise and on to its intended destination.

Function of a High Performing Security Architecture

The goal of creating an inline security architecture is to enable adequate security inspection at maximum efficiency while adding only minimal latency to your network. This is achieved by creating an additional layer of control between live traffic and your monitoring tools. This control layer becomes an essential element of your overall security architecture with the ability to increase accuracy, efficiency, and cost- effectiveness in the following areas:

Maintain Network Availability

A well-designed security architecture strengthens security, but does not allow security monitoring to slow or disrupt network response times. The prime goal is to allow you to proactively take action before either of these events occurs.

Automatic Failover

Security vendors sometimes embed bypass functionality inside of a security tool and label it “failsafe”. The claim is true in the sense that, if the tool stops responding, the internal bypass will route traffic around the tool and protect network availability. A separate and external bypass device, however, can also protect the network if you need to temporarily take the tool out of service for software or hardware upgrades, or for troubleshooting.

Using an external bypass in front of a security tool separates it completely from the flow of live traffic, so you can perform tool or system maintenance or any operational task, without having to wait for a scheduled maintenance window. The external bypass continues passing traffic along - even without a tool attached. This improves both network resilience and overall security monitoring, since tools can be maintained as quickly and frequently as needed.

An additional advantage is that the reliability of a simple external bypass switch is much greater than that of sophisticated security tools with embedded bypasses. The general rule is that the more complex the tool, the shorter the Mean Time Between Failure (MTBF), and the greater the risk of failure to the entire system. Using an external bypass switch enables you to maximize both network protection and traffic inspection.

Nanosecond heartbeat packets

Bypass switches send very small ‘heartbeat’ packets on a regular cadence to your tools to confirm their ability to respond. If a response is not received, the bypass can be configured to fail “open,” and traffic will flow on to the next device. The key characteristic of the bypass is the speed at which it can detect an issue and redirect traffic. You typically want this to happen as fast as possible to maintain network responsiveness. While heartbeats are common in many devices, solutions where the heartbeat packets originate in the hardware, rather than in software, can be sent at very high frequency - one per nanosecond, and may be used in High Frequency Financial Trading HFT on a closed loop or dark-ish pool. This enables the bypass to detect the failure instantaneously and react accordingly.

Another feature to look for in bypass switches is whether they continue to send heartbeat packets even after a tool stops responding. Bypasses with this feature will know very quickly when the tool comes back online and can resume routing traffic through the tool. This self-healing feature enables fast and automatic recovery when tools recover and limits the impact of tool outages.

Traffic flow monitoring

The ability to collect data on traffic moving through the bypass is another distinguishing characteristic of top-performing solutions. Some bypass switches keep track of traffic patterns in both the uplink and downlink directions and use this information for reporting. The data, known as bi-directional utilisation and peak traffic indicators, allows IT system and network administrators to identify possible network or application anomalies before there is a network outage. Another feature to look for is the ability to integrate this data into your existing management tools to streamline network management.

Kasperksy real time threat map:

IT forensic analysis network intrusion detection

fintechIT securitycoding