Inline Bypass: Scaling Inline Threat Prevention Tools to Keep Pace with High-Speed Networks

Whitepaper: Inline Bypass Maximize Security Tool Efficiency Ideally suited to address the network-data-rate-to-securityappliance-throughput disparity, the GigaSECURE Security Delivery Platform can distribute the load across multiple security tools such that network security scales linearly with the number of tools deployed while also ensuring that a given security tool can see all traffic that corresponds to specific user and server sessions. This type of targeted traffic forwarding is vital to detecting APTs more quickly. Rather than monitor all traffic flowing over the network, the GigaSECURE Security Delivery Platform can use Flow Mapping® technology to selectively forward specific sessions for monitoring and bypass the rest, with filtering criteria based on application type, like database, web or email; TCP/UDP port; IP and MAC address of servers and endpoints; or any combination. Not only is this a practical compromise between performance and security, but it negates the need to unnecessarily purchase more or higher capacity security tools. Organizations can dynamically apply these configurations using the APIs exposed by the GigaSECURE Security Delivery Platform and integrate them into a modern DevSecOps security environment. The net effect? Security tools now inspect the most relevant traffic and increase the probability of uncovering and responding to risks faster. Consolidate and Optimize Security Monitoring While sophisticated cyberthreats may merit having security devices on every segment and at every location, it is often cost-prohibitive to place firewalls, anti-malware and content-inspection devices on every network segment or every internet gateway exit point. It is far more efficient and less expensive to aggregate network traffic from multiple network segments into the GigaSECURE Security Delivery Platform and send the aggregated traffic of interest to a centralized, higher-capacity security tool for inspection. Organizations can also apply a similar approach to remote offices, especially if they are backhauling all traffic from those remote offices to a few aggregation points. This centralized approach helps ensure that they get the most from their large-scale security computing investments at aggregation points like data centers and campuses. © 2018 Gigamon. All rights reserved. The GigaSECURE Security Delivery Platform can aggregate and forward traffic streams from multiple network segments and send traffic of interest to a common security tool. The GigaSECURE Security Delivery Platform tags traffic so that forward and return traffic is sent to the correct segment. This capability is also useful in network architectures that feature asymmetric routing. In networks with redundant paths, the GigaSECURE Security Delivery Platform can monitor both active and standby network links, eliminating the need to replicate the entire security stack for each link. By preserving the session integrity regardless of the path it takes, security devices receive whole sessions of bidirectional traffic. Since most security architectures are multi-vendor, best-of-breed stacks of specialized products, their need to inspect the same traffic may conflict and burden the network. The GigaSECURE Security Delivery Platform addresses this issue by aggregating the traffic forwarding and distribution function and infusing it with intelligence that not only resolves packet contention, but also enables security tool optimization. For example, the GigaSECURE Security Delivery Platform will only send email traffic to the email inspection tool; only web traffic to a WAF; and all traffic, if desired, to a group of IPS. Consolidating traffic-forwarding policies in this way facilitates scaling of the security stack to accommodate new technologies and proof-of-concept deployments – without network disruption. Moreover, any additional tools that require access to network traffic simply connect to the GigaSECURE Security Delivery Platform to receive the necessary visibility. Seamlessly Add, Remove and Upgrade Security Tools With the GigaSECURE Security Delivery Platform, SecOps can apply software patches and perform upgrades without lengthy coordination of maintenance windows, network downtime or reduced security. Instead of being connected directly inline, security tools are connected to the GigaSECURE Security Delivery Platform, where they can be easily removed, rebooted or updated without affecting the network. Before the inline tool is taken out of service, the GigaSECURE Security Delivery Platform can bypass traffic to that tool until it is once again, ready to begin inspection. When deploying multiple inline tools, SecOps can upgrade them sequentially without having a large maintenance window or extended network outage and even better, add tools to the GigaSECURE Security Delivery Platform with no need for a maintenance window. Traffic can be directed to a new tool with a software command and minimal impact to the network. 3 Whitepaper: Inline Bypass Migrate Security Tools Between Prevention and Detection Modes Many inline security solutions can also operate in an out-of-band mode. In fact, some security devices have “learning modes” where they spend days or weeks passively monitoring the network to baseline normal behavior to flag anomalies later. While out of band, the security appliance will receive only a copy of the traffic. Once tuned and ready to operate in an inline configuration, it can be programmatically moved by the GigaSECURE Security Delivery Platform without any rewiring. The ability of the GigaSECURE Security Delivery Platform to move a security tool between prevention and monitoring – or detection – modes is a powerful capability that security administrators can use in multiple ways. For example, they can: • Validate the operation of a prevention tool in detection mode after it has been upgraded with a new software. • Deploy threat prevention tools in threat detection mode in latency-sensitive application environments or those where the network data rate-security impedance mismatch is very high – for example, for service providers or in 40Gb/100Gb networks running 1Gb/10Gb security tools. When a tool detects a threat, the GigaSECURE Security Delivery Platform can be programmed to rapidly move the inline tool to prevention mode. Such an approach ensures that latency is minimized when no malicious threat is detected and that higher latencies are only seen when the inline tool is actively blocking malicious flows. Moreover, the GigaSECURE Security Delivery Platform can also offload compute-intensive SSL decryption from inline tools; it simply decrypts traffic once and distributes it to any number of inline or out-of-band tools that require it. With this approach, organizations can realize significant ROI, efficiency and performance benefits. Summary As network data rates continue to grow, security architects and administrators need an archi
Please complete the form to gain access to this content