|
|
External Links to
our Supplier News and
Events:
All events:
September 20th and
22nd 2011 - iTechSummit Calgary & Vancouver. Click
the banner below for free registration!
Layer8Solutions will participate in the iTech Infrastructure Technology
Summit in Toronto, Calgary & Vancouver. iTechsummit is
Canada’s largest IT conference & exhibition series
offering high level IT professionals and decision-makers a broader
realm of IT solutions-based products and services that encompass the
overall Data Center and IT infrastructure.
June 27th 2011 By
Howard Solomon Network World Canada.
itWorldCanada;
Communications Infrastructure article:
Like all Gigamon switches, the GigaVUE HD8 is used between a
traditional data switch and tools such as intrusion detection systems
(IDS), Web monitors, data recorders or VOIP analyzers. Read
more... <article>
June 7th 2011 -
Press Release - Network
Computing - Steve
Wexler
ExtraHop Addresses
2,048-bit SSL Decryption Performance Penalty.
It's still early days for 2,048-bit SSL (Secure Sockets Layer)
encryption/decryption, but privately held ExtraHop
Networks, a specialist in
network-based application performance
management (APM) solutions, is betting it won't take long for the
significantly more secure standard to be adopted, with major
implications for application monitoring.
June 2nd 2011 -
Press Release
GigaStor Innovations
Boost Capture and Analysis Performance by 116%
Network Instruments Hardware Enhancements Reduce Troubleshooting Time on
10 Gb Networks. MINNEAPOLIS – June 2, 2011
– Network
Instruments®, a worldwide leader in network and application
management, today announced it has increased write-to-disk and analysis
performance by up to 116 percent on its GigaStor
retrospective network analysis
appliances. Read More... <Click Here>
Use of Taps and Span
Ports in Cyber Intelligence Applications
Author: Markus
Tunkel
Cyber warfare is
unfortunately no longer found only in
speculative fiction; it is with us today. Distributed denial-of-service
(DDoS) attacks have been launched against the United States, South
Korea, Kyrgyzstan, Estonia, and Georgia in recent years, and military
and government computer systems around the world are assaulted by
intruders daily. Some attacks come from nation-states, but others are
perpetrated by transnational and unaligned rogue groups. Those bent on
inflicting harm on nations and citizens not only use networks as an
attack vector, but also for organizing, recruiting, and publicizing
their beliefs and activities.
On the other side
of the fence are the good guys, the
members of the cyber intelligence community who aim to understand and
track the terrorists, and ultimately stymie their plans. Due to the
pervasive use of networks by radical and criminal organizations in the
modern world, a great deal can be learned about terrorists by examining
their use of the World Wide Web, and how the Internet is used as a
vector to attack both public and private systems. This field of study
is called "terrorism informatics," which is defined as "the application
of advanced methodologies and information fusion and analysis
techniques to acquire, integrate, process, analyze, and manage the
diversity of terrorism-related information for national/international
and homeland security-related applications" (Hsinchun Chen et al, eds.,
Terrorism Informatics. New York: Springer, 2008, p. xv).
Terrorism
informatics analyzes information from
data-at-rest sources such as blogs, social media, and databases. For
other types of analyses, it is necessary to examine data in motion, in
other words, information as it travels on a network. Access to
data-in-motion is often obtained by eavesdropping on the network
traffic using Span ports in switches. This paper focuses specifically
on the implications of using Span ports in counter-terrorism monitoring
applications. It shows that Span ports are particularly ill-suited to
this use. Note also that the security vulnerabilities of Span ports in
counter-terrorism applications apply equally when Span ports are used
for other monitoring needs such as performance or compliance monitoring.
Introduction
 Span or mirror ports
are a convenient and
inexpensive way to access traffic flowing through a network switch.
Switches that support Span ports-typically high-end switches-can be
configured to mirror traffic from selected ports or VLANs to the Span
port, where monitoring tools can be attached. At first glance, it seems
that a Span port could be a good way to connect an intrusion detection
system (IDS), forensic recorder, or other security monitoring device.
Unfortunately, Span ports have several characteristics that can be
troublesome and risky in a counter-terrorism application. These
characteristics include:
- The
possibility of dropping packets
- The need for
reconfiguring switches
- The
vulnerability of Span ports to attack
- The fact that
Span ports are not passive mechanisms
These issues are
elaborated in the following sections.
Problem
#1: Dropped Packets
The first issue
with Span ports in a counter-terrorism
application is that the visibility of network traffic is less than
perfect. In counter-terrorism monitoring, a fundamental requirement is
that the security device must be able to see every single packet on the
wire. An IDS cannot detect a virus if it doesn't see the packets
carrying it. Span ports cannot meet this requirement because they drop
packets. Spanning is the switch's lowest priority task, and Span
traffic is the first thing to go when the switch gets busy. In fact, it
is allowable for any port on a switch to drop packets because network
protocols are specifically designed to be robust in spite of dropped
packets, which are inevitable in a network. But it is not acceptable in
a counter-terrorism monitoring application.
Different switches may be more or less prone to drop Span packets
depending on their internal architecture, which varies from switch to
switch. However, it is unlikely that the performance of the Span port
was evaluated as an important criterion when the switching gear was
selected. As a counter-terrorism professional, you probably don't want
your security strategy to be dependent on a procurement policy that you
don't control.
Nevertheless, suppose you do have switches with the best possible
Spanning performance. Dropped packets may still be an issue depending
on how much traffic you need to send through the Span port. If you need
to see all of the traffic on a full-duplex 1 Gigabit link, a 1 Gigabit
Span port won't do the job. Full duplex link traffic exceeds the 1
Gigabit SPAN port capacity when link utilization goes above 50 percent
in both directions. To see all the traffic, you need to dedicate a 10
Gigabit port for Spanning, and now the Span port doesn't seem so
inexpensive any more.
However, Span port visibility issues go beyond simply dropping packets.
Being switch technology, Span ports by their very nature are not
transparent for layer 1 and layer 2 information: for example, they drop
undersized and oversized packets, and packets with CRC errors. They
usually remove VLAN tags, too. In addition, Span ports do not preserve
the packet timing of the original traffic, or in some cases even the
packet order. This type of information can be critical for detecting
certain types of network attacks such as network worms and viruses, and
for some behavior-based packet classification algorithms. For example,
network consultant Betty DuBois observed, "[Regarding] losing the VLAN
tag information when Spanning, if there is an issue with ISL or 802.1q,
how will I ever know with a Span port?"
Problem
#2: The Need for Switch Configuration
Another issue
with using Span ports in a
counter-terrorism application is the very fact that the switch needs to
be configured to send specific traffic to the Span port. This fact
leads to a host of complications:
- The
configuration may not be done correctly.
"If the switch owner mistakenly or intentionally configures the Span
port to not show all the traffic it should, you may or may not discover
the misconfiguration. I have seen this happen countless times," said
Richard Bejtlich, the highly respected author of The Tao of Network
Security Monitoring.
- Sharing
the Span port. A switch
typically supports only one or two Span ports, and the network
administrator or someone else may need to use "your" Span port for one
reason or another. They may or may not tell you when the Span traffic
profile is changed for their needs. IT Manager Bob Huber recalled,
"Span was a huge issue we dealt with on the IDS team where I used to
work. We had constant issues with the Span going up and down. When
there are network issues to deal with, the network engineers have
priority to the limited number of Span ports available. Hoping they
remember to reconfigure your Span port was a waste of time."
- Switch
configuration may not be available
when you need it. If you
need to change the profile of the
traffic you are Spanning, or change it back after someone else used the
port, it may not be easy to get the switch owner's time to do it. In
larger organizations, you may also need to get the change authorized
through a Change Control Board, and then wait for a maintenance window
to get it implemented.
- Changes
to the network switches for other
reasons can impact the Span traffic.
Networks are constantly
being reconfigured to optimize applications or support new
requirements. If the counter-terrorism monitoring solution depends on
Span ports, it is vulnerable to changes (planned or surprises) any time
the network is reconfigured for any reason.
- Switch
configuration itself is a security
vulnerability. In any
counter-terrorism activity, the
network's security is of course paramount. Switches are a highly
vulnerable network point, and the ability to reconfigure them must be
tightly controlled. Does it make sense to require switch
reconfiguration as part of the counter-terrorism monitoring solution,
when reconfiguring a switch can accidentally or deliberately expose or
bring down the network?
If you have any
doubt that Span port misconfiguration
can be an issue, take a look at this note in the Cisco Catalyst 6500
Series documentation: "Connectivity issues because of the
misconfiguration of Span ports occur frequently in CatOS... Be very
careful of the port that you choose as a Span destination."
Problem #3: Vulnerability to Attack
Span ports are
usually configured for uni-directional
traffic, restricted to transmitting traffic to the monitoring device.
However, in some cases they can receive traffic as well (a feature
Cisco calls ingress traffic forwarding), in order to enable management
of the monitoring device over the same switch port and monitoring
device NIC as the mirror traffic. When this configuration is used, the
Span port becomes an open ingress port to the switch, creating a
serious security vulnerability. Therefore, this configuration should be
avoided as a best practice. If for some reason it becomes necessary to
use this configuration, you should at least lock the Span port to the
monitoring tool's MAC address if possible, so an unauthorized user
won't be able to plug a laptop into the connection and hack the switch.
Problem
#4: Not Passive
A final important
consideration when using Span ports
for counter-terrorism monitoring access is that Span ports are not
passive: They can affect the performance of the switch's other ports.
For example, Gerald Combs, the father of Wireshark, warns, "Some switch
families (e.g., the Cisco 3500 sercies) don't set a lower priority on
Span traffic, and will slow down the backplane in order to deliver
packets to a Span port." This effect violates a primary principal of
security and especially forensic monitoring, that monitoring should not
affect the traffic being monitored. It may have legal as well as
practical implications.
The
Tap Alternative
 To
avoid the problems that Span
ports bring to counter-terrorism monitoring applications, security
experts like Bejtlich recommend using traffic access ports (Taps) for
access to the network traffic. Taps are specifically designed to
provide 100 percent traffic visibility without any impact on monitored
traffic. Optical Taps for fiber links use optical splitters to divert
part of the light from the link to a monitor port, creating a true copy
of the link traffic all the way down to layer 1 and layer 2 errors.
Taps for copper links perform a similar function electronically.
Optical Taps do not use any power at all, while copper Taps include
relays which ensure that link traffic continues to flow even when the
Tap loses power. Taps avoid all of the pitfalls of Span ports in
counter-terrorism applications:
- Taps send the
monitoring tool an exact copy of the
link traffic, including layer 1 and layer 2 errors and malformed
packets, no matter how busy the link is. They never drop packets.
- Taps require
little or no configuration. Once a Tap
is installed in a link, monitoring access to the link traffic is always
available, consistently and persistently.
- Taps are
secure. They do not have an IP address so
attackers cannot see them, and they cannot inject traffic into the
network under any circumstances. In fact, a Tap actually hides the
monitoring tool from the network as well, providing true "stealth"
monitoring.
- Taps are
completely passive. They cannot affect the
link traffic, not even if they lose power.
Tap technology
has evolved to offer a range of
additional features as well, most of which are not available with Span
ports. (Note that some of these features require a trade-off with the
previously mentioned characteristics.)
- Regeneration
Taps produce multiple
copies of the link traffic so multiple tools and multiple users can
view the same traffic simultaneously. Your counter-terrorism monitoring
device does not need to give up access when the network administrator
needs to put an additional protocol analyzer onto the link.
- Aggregator
Taps combine the
traffic from both directions of full-duplex links and from multiple
links and sends it to a single NIC on the monitoring tool. No packets
are dropped as long as the aggregated traffic does not exceed the
monitor port bandwidth.
- Active
Response Taps permit
monitoring tools to send response packets such as TCP resets, ICMP
messages, and ACL changes into the tapped link. This feature can be
used by an IDS to take action when certain types of intrusions are
detected. (Active Response Taps are an exception to the Tap "one
direction only" traffic rule.)
- iTaps
provide a remote management
interface and basic monitoring data about link traffic, such as packet
counts and utilization levels. (Remote management interfaces require IP
addresses, but they are secured with passwords, SSH, HTTPS, and other
measures.)
- Media
Conversion refers to Taps
that support different media types on their network and monitor ports.
Many Taps have pluggable SFP or XFP ports enabling different media
types to be accommodated simply by plugging in different transceiver
types. Some Taps even perform 10 Gigabit to 1 Gigabit and 1 Gigabit to
10 Gigabit data rate conversion as well.
- Filter
Taps
enable mirrored traffic to be restricted to
particular protocols, source and destination IP addresses, VLANs,
ports, and other criteria, making it easier to isolate or troubleshoot
issues, and relieving monitoring tools from spending valuable
processing cycles on pre-filtering traffic. For example, the Net Optics
Director Data Monitoring Switch supports filtering as well as
regeneration, aggregation, remote management, and media conversion, all
in a single device.
- Bypass
Switches
create fail-safe access ports for in-line devices
such as intrusion prevention systems and firewalls.
Conclusion
Monitoring is an
essential building block of
Bejtlich´s "defensible network architecture," the first of
its
seven key characteristics: monitored, inventoried, controlled, claimed,
minimized, assessed, and current. Utilizing Span ports for
counter-terrorism monitoring access is placing that building block on a
weak foundation, subject to packet loss, misconfiguration, and
intrusion. A Monitoring Access Platform, based on Tap technology and
integrated within the network architecture, is an alternate access
approach that provides a solid base on which to build your network's
security and counter-terrorism applications.
LangDetectsv>de
GoogleC Abschluss
Article Source: http://www.articlesbase.com/security-articles/use-of-taps-and-span-ports-in-cyber-intelligence-applications-2814767.html
About the
Author
April
13th, 2011 - By
Invitation only,
join us for Lunch! ExtraHop,
Gigamon & Layer8Solutions
are proud to host an exclusive event Wednesday April 13th at
Vieux-Port Steakhouse http://www.restaurantduvieuxport.com
in Old Montreal.
You’ll get an opportunity to meet executives from
ExtraHop
& Gigamon,
network with your peers, hear about the future of network-and
application-performance management, and enjoy a complimentary lunch on
us. Request your invite to events@layer8solutions.ca
March 9th,
2011 - By
Invitation only, join us for Lunch! ExtraHop,
Gigamon & Layer8Solutions are proud to host an exclusive event
Wednesday March 9th at The Empire Bar and Grill Empire
Grill
in downtown Ottawa.
You’ll get an opportunity to meet executives from
ExtraHop
& Gigamon,
network with your peers, hear about the future of network-and
application-performance management, and enjoy a complimentary lunch on
us. Request
your invite to events@layer8solutions.ca
January
26th, 2011 - Join us for Lunch! ExtraHop
& Layer8Solutions are proud to host an exclusive event
Wednesday
January 26th at Barberian's Steakhouse
in downtown Toronto.
You’ll get an opportunity to meet executives from
ExtraHop,
network with your peers, hear about the future of network- and
application-performance management, and enjoy a complimentary lunch on
us.
What is Application Delivery Assurance?
It’s
real-time analysis from L2–L7, at wire speeds, for proactive
early warning and accelerated troubleshooting across network, web,
database, and storage tiers.
Registration: Want to learn more? RSVP by emailing me at annette@extrahop.com,
or give
me a call at 206-462-2243. And if someone else from your company would
like to attend, please let me know.
May 4, 2010 - BreakingPoint Storm CTM Becomes
World's First Product to Harden the Resiliency of Global Networks
Against Cyber Attack and High-Stress Load.
A legacy of ineffective security and performance evaluation of global
network
devices
and systems has left us all exposed and carrying the burden of a
brittle cyber infrastructure. BreakingPoint has pioneered the
world’s first Cyber Tomography Machine
(CTM), introducing the
BreakingPoint Storm CTM™ to address the security problems
facing
today’s governments, enterprises, service providers and
equipment
vendors. click here
to read more.
April 23, 2010
- Gigamon
Introduces the
GigaVUE-212.
Introducing the latest breakthrough from Gigamon, the GigaVUE-212 entry
price-level Data Access Switch. Ideal for data centers and enterprises
who require a low-cost option but still need all of the filtering,
aggregation, replication, and load balancing functionality of our other
solutions. See the GigaVUE-212 at Interop Las Vegas, booth #1951!.
April 27th 2010
- Infrastructure Technology Summit -
Montreal, Canada
Click
Here for your Free
Registration to Montreal
April 29th 2010
- Infrastructure Technology Summit -
Toronto, Canada
Click
Here for your Free
Registration to Toronto
April 30th 2010
- Federation of Security
Professionals - Toronto, Canada
RBC Financial Group
315 Front Street West Toronto, ON
November 10th
2009 - Solera Networks and ArcSight
join forces to Provide Network Security and Forensics Solutions
SALT LAKE CITY, UT — November 10, 2009 – Solera
Networks
has partnered with ArcSight, Inc. (NASDAQ: ARST) to enable integration
between their high-speed network forensics appliances and
ArcSight’s enterprise threat and risk monitoring solutions.
This
integration will help determine the true scope of any network or
security issue by providing a record of network [...]
Friday Oct 23,
2009
Security
Seminar, Federation of Security
Professionals
RBC Financial Group
315 Front Street West Toronto, ON
Friday 9 October
2009
Smart Network Access System Does More For Less
Network Critical, the creator of the leading enterprise access
technology solutions, announced today that it will be revamping its
Smart Network Access (SmartNA) System. With the introduction of a new
web interface and filtering capabilities, the structure of this modular
system will be changing to accommodate the upgrades.
<more>
Thursday Oct 8,
2009 - Gigamon Kicks off Fourth
Quarter with Noted 2009 Accomplishments
Data Access Networking Innovator Hires Vice President of North American
Sales to Support Record Growth and Sales Projections
<more>
GTEC 2009 - Oct
5-8, 2009 Westin Hotel Ottawa, ON www.gtec.ca
GTEC is Canada’s Government Technology Event. As the largest,
most
comprehensive information technology event serving the Canadian
government for the past 16 years, their program draws over 7,000 senior
level IT decision makers from federal, provincial, municipal, and
international government annually. GTEC serves as the only platform for
visitors to access the tools, talents and technologies through learning
and networking opportunities helping influencers and decision makers
alike implement cost effective, innovative, and efficient IT solutions.
Layer 8 Solutions Exhibitor booth 724
Workshop: 2:00 pm -- 3:00 pm, Alberta Room, 4th Floor, Westin Hotel
Ottawa
Palo Alto Networks www.paloaltonetworks.com
Tony McIlvenna
Central Area Manager
Tony McIlvenna brings a wealth of business experience and a strong
track record in territory development at top-tier-start-up companies
and leading high tech firms such as Cabletron, CacheFlow/Bluecoat,
Neoteris/Juniper and Silver Peak Systems,. Tony has a 23 year track
record of managing exceptional growth and success at technology
companies. Tony is the customer facing representative that would work
with you and Layer 8 Solution directly for any sales and sales
operational related opportunities.
Why It's Time to Fix the Firewall
The firewall was once the strategic foundation of network security in
every enterprise. But over the last decade, Internet applications and
threats have evolved dramatically and can now bypass security controls,
making traditional firewalls ineffective and nearly obsolete.
Presentation Highlights: Insights into a new generation of evasive
applications and related threats capable of bypassing your firewall
controls, A look at three new network security requirements -- missing
from traditional firewalls -- that will restore IT's ability to manage
these and other Internet risks and a live demo time permitting.
Leveraging the
Firewall as the Strategic Point of
Application Control - Sept 16, 2009 Sheraton Hotel Toronto, ON
www.paloaltonetworks.com/events/toronto.html
A new generation of business and consumer Internet applications are
flooding today’s corporate networks. It is not
enough to simply
block or allow these applications. Each application must be
controlled based on its unique risks and the value it delivers to the
business. This context-based control can include limiting the
functionality of an application, restricting its access to certain
users, and even shaping the application with QoS controls to ensure
optimal performance.
The logical location for this level of application and user control is
the enterprise firewall. Unfortunately, traditional firewalls
are
unable to identify or control any applications. But
award-winning
next generation firewalls from Palo Alto Networks have restored
fine-grained application visibility and control for hundreds of
organizations worldwide.
Palo Alto Networks firewalls also allow you to identify and control
specific users by name – not just IP address – and
scan all
applications for a broad range of threats, all at throughput of up to
10Gbps.
GigaStream
Provides Highest Port Density and Lowest
Latency for Data Center Monitoring... September 15, 2009
Bye-Bye
Bottlenecking: Gigamon’s GigaStream
Stacks Up as the Best Solution for Data Center Monitoring
Innovative Trunking Technology Provides Highest Port Density and Lowest
Latency in Industry for Large Scale Data Centers; Enables 2.2 Terabytes
of Bandwidth per Second
Silicon Valley—September 15, 2009 - Gigamon, the leading
global
provider of intelligent data access networking™, today
announced
the release of GigaStream, an innovative trunking technology for
traffic load balancing that eliminates bottlenecking and guarantees the
highest port density and lowest latency in the industry. In a
multi-unit star configuration, GigaStream can bundle either GigaVUE
tool-ports or stack-ports to enhance security, speed and performance in
large scale data centers that demand massive port density. Create
cross- box connectivity with any of the GigaVUE platforms incorporating
hundreds of ports into a network-wide Data Access Network fabric.
Managing a large scale enterprise data center demands a complex network
infrastructure where 24/7 performance monitoring is critical. As these
data centers require massive port density to effectively monitor the
network, GigaStream supports automatic load balancing across multiple
monitoring tools, with the essential benefit of intelligently keeping
all packets of each session together.
The launch of GigaStream indicates that Gigamon has been listening to
its customers and identifying their specific needs,” Steve
Steinke, Senior Analyst for Networks at The 451 Group. “By
investing in innovation and product development, despite the down
economy, Gigamon continues to solidify its leadership position in the
data access networking industry.”
By creating an additional, virtual, tool port, GigaStream maximizes
network security, monitoring and troubleshooting. Network engineers and
Data Center Managers alike will appreciate that GigaStream enables 2.2
terabytes of bandwidth per second on a multi-chassis stack star
configuration. GigaStream allows up to eight 10GB ports to be
bundled between chassis or to a network tool, increasing
chassis-to-chassis bandwidth to 80GB.
“Gaining full network visibility with security and monitoring
tools continue to haunt network engineers and IT management,”
said Patrick Leong, Gigamon CTO. “GigaStream helps solve this
issue by expanding the number of stack ports between GigaVUE chassis
while maintaining low latency and delivering higher performance.
Gigamon remains ahead of the curve and competition because we truly
understand the pain points of our customers and design innovative
solutions that deliver technical and business value.”
Since 2005, enterprise network managers and IT security professionals
have always depended on Gigamon's GigaVUE® “orange
boxes” to aggregate, filter and replicate customized data
streams
to all monitoring tools. Gigamon provides access to any network segment
at any speed including 10Gig connections. Upon being installed, GigaVUE
can aggregate data from multiple segments, filter on specific
information within each packet and direct it to all tools needing that
information. Any tool can now be connected to the GigaVUE anytime,
which provides better monitoring in multiple areas simultaneously.
Gigamon recently became the industry’s first and only NEBS
(Network Equipment Building Systems) certified data access
switch.
Download
PDF
Layer 8
Solutions Inc.
217 Brockmere Cliffs Dr
Brockville, ON K6V5T3
|
|
|
