Step 1 – Reduce as many vulnerabilities within the network as possible
I recently wrote a blog Find Your Security Vulnerability Before Hackers Find It For You and I wanted to come back and explore all three steps that I outlined in that post in more detail. This blog will examine step 1 of that three-point plan.
Step 1 is about preventing as many intrusions into the network as possible by implementing a solid security architecture. Simply put — do what you can to stop the threat(s). This due diligence will be worth its weight in gold if an attack is successful. Inline security solutions using an IPS, WAF, TLS decryption, and other technology are a good example of a best practice.
Inline security tools should be deployed after your initial firewalls. These tools interrogate incoming data packets to look for known malware, ransomware, and other threats in real-time. These tools can allow you to knock down most of the incoming threats. By some estimates, that could be up to 90% of your threats. The more threats you eliminate here (before they get into your network), the easier your life will be.
To aid in this effort, consider adding external bypass switches and network packet brokers into your inline security solutions, as these two devices make it easier to get at the critical data that you want to examine. This allows for the examination of ALL data for suspect network traffic. In addition, a bypass and packet broker combination also provide a very solid solution for increasing network resilience and the deployment of self-healing networks.
In this scenario, all equipment lies directly in the path of live network traffic. You can combine resilient components like a bypass switch, packet broker, application intelligence, and SSL decryption with your existing security solution. Data flows into the network, is then scrubbed by the firewall, and then proceeds to the bypass switch where it is shunted to the packet broker (like a Keysight Vision ONE solution). After that, the Vision ONE can decrypt data (if necessary) using its internal SecureStack feature set. After decryption (or if no decryption is needed), the data is sent on to the prescribed security tools for analysis. Bad data (i.e. security threats) are then deleted by those tools and the good data is sent back to the packet broker for re-encryption (if needed) which then passes the data on to the bypass switch. After that, the data flows into the core of the network.
In addition, the external bypass and inline packet broker solution decreases both the risk of outage and the time it takes for hardware and software upgrades. The main purpose of the bypass switch is to allow traffic to continue flowing in the event of a security tool failure. If there is a tool (or packet broker) failure, the bypass will shunt traffic directly into the network for business continuity purposes. The bypass can also be set up to not allow any data to pass, if there is a serious concern regarding security threats passing into the network. After the event is over, the bypass senses when the tool (or packet broker) is functioning again and diverts traffic back to those tools for processing. This capability is automatic and doesn’t require any intervention.
From a maintenance perspective, since the bypass switch is external, this means there is no network outage if you completely remove or replace any of your equipment. Bypasses that are integrated into the security tools suffer from this problem. If you want to completely remove the tool at some point (and you are relying on internal bypass functionality), you will experience network downtime.
When a packet broker is added to the scenario above, this gives you a second level of business continuity, as the packet broker feeds the flow of data to multiple tools. This means it can load balance data across multiple tools to provide n+1 survivability. If one tool goes down, the packet broker redistributes the load across remaining tools – preventing a single point of failure. Once the tool is back online, the packet broker rebalances the load across all of the tools again.
Packet brokers, like the ones from Keysight, can also handle TLS decryption and serial data chaining across different types of tools. By implementing decryption within the packet broker, you reduce complexity and the time it takes to pass the data on to inspection tools, as those packets are decrypted (and later re-encrypted) within the packet broker and don’t have to be passed to additional devices for encryption services.
In the second part of this blog, I’ll discuss step 2 – how to actively look for threats on your network.
See for yourself how Keysight’s solutions can significantly enhance your company’s security architecture!