Network security

Keysight Technologies: How can I reduce network security risks – Part 1

Step 1 – Reduce as many vulnerabilities within the network as possible

I recently wrote a blog Find your security vulnerability before hackers find it for you and I wanted to come back and explore in more detail the three steps I described in this post. This blog will examine step 1 of this three-point plan.

Step 1 is to prevent as many network intrusions as possible by implementing a strong security architecture. Simply put, do what you can to stop the threat(s). This due diligence will be worth its weight in gold if an attack succeeds. Online security solutions using IPS, WAF, TLS decryption and other technologies are a good example of good practice.

Online security tools should be deployed after your initial firewalls. These tools poll incoming data packets for malware, ransomware, and other known threats in real time. These tools can allow you to neutralize most incoming threats. According to some estimates, this could account for up to 90% of your threats. The more threats you eliminate here (before they enter your network), the easier your life will be.

To aid in this effort, consider adding external bypass switches and network packet brokers to your online security solutions, as both of these devices make it easier to access the critical data you want to examine. This allows ALL data to be examined for suspicious network traffic. Additionally, a combination of bypassing and packet brokering also provides a very strong solution for increasing network resiliency and the deployment of self-healing networks.

In this scenario, all devices are directly in the path of live network traffic. You can combine resilient components like bypass switch, packet broker, application intelligence, and SSL decryption with your existing security solution. Data travels through the network, is then scrubbed by the firewall, then passes to the bypass switch where it is redirected to the packet broker (like a Keysight Vision ONE solution). After that, the Vision ONE can decrypt the data (if needed) using its internal SecureStack feature set. After decryption (or if no decryption is required), the data is sent to prescribed security tools for analysis. The bad data (i.e. security threats) is then removed by these tools and the good data is sent back to the packet broker for re-encryption (if needed) which then forwards the data to the bypass switch. After that, the data flows through the network core.

Additionally, the external workaround and online packet brokerage reduces both the risk of failure and the time required for hardware and software upgrades. The primary purpose of the bypass switch is to allow traffic to continue to flow in the event of a security tool failure. In the event of a tool (or packet broker) failure, the bypass will direct traffic directly to the network for business continuity purposes. The bypass can also be configured to not let any data through, if there is a serious problem regarding security threats passing through the network. Once the event is over, the bypass detects when the tool (or packet broker) is running again and redirects traffic to those tools for processing. This feature is automatic and does not require any intervention.

From a maintenance perspective, since the bypass switch is external, it means there is no network outage if you completely remove or replace any of your equipment. Workarounds built into security tools suffer from this problem. If you want to completely remove the tool at some point (and rely on the internal bypass feature), you will experience network disruption.

When a packet broker is added to the above scenario, it gives you a second level of business continuity, as the packet broker powers data flow to multiple tools. This means it can load balance data across multiple tools to provide n+1 survivability. If one tool fails, the packet broker redistributes the load among the remaining tools, avoiding a single point of failure . Once the tool is back online, the packet broker again rebalances the load on all tools.

Packet brokers, like Keysight’s, can also handle TLS decryption and serial data chaining on different types of tools. By implementing decryption within the packet broker, you reduce the complexity and time required to pass data to the inspection tools, because those packets are decrypted (and then re-encrypted) within the packet broker and do not need to be transmitted to additional devices for encryption services.

In the second part of this blog, I will discuss step 2 – how to actively scan your network for threats.

See for yourself how Keysight solutions can dramatically improve your company’s security architecture!

Source link