Network and security operations teams, often referred to as NetOps and SecOps, have the difficult task of deploying and managing a complicated tools environment that is constantly evolving to meet the increasing demand for better network service and security assurance. Complicating this problem is the pace at which many organizations are adopting next generation network technologies to maintain a distinct advantage over their competitors. The issue is compounded even more with much of the network traffic now flowing east-west, and insider threats that represent an equal risk to the organization.
Of the myriad of issues facing NetOps and SecOps, the following challenges are arguably the most prevalent:
- Ensuring tools are performing optimally
- Managing the delicate balance between network performance and security
- Maintaining network traffic continuity
These challenges impact every decision that is made in an organization’s strategy for Operational Support Systems (OSS). There are three primary dilemmas that must be confronted when defining the OSS strategy:
- Firstly, the choice between tools that are either comprehensive, often referred to as all-in-one solutions, or deploying specialized but disparate solutions that can be from different vendors. All-in-one solutions, such as Unified Threat Management, do have the advantage of reducing complexity and cost over dedicated point-specific solutions. However, they also represent a single point of failure, less functionality and degraded performance.
- The second dilemma is choosing tools that either sit inline or out-of-band to capture and/or inspect network traffic. Inline network performance and security monitoring tools benefit from immediate and automated actions that can shape and affect network traffic. They also introduce points of failure, latency and troubleshooting complications. The reality is that the OSS landscape for many organizations is an amalgamation of all-in-one and specialized tools that are deployed both inline and out-of-band.
- This leads to the final dilemma, and perhaps the most important one of all. It is understanding the synergies between the functions in the tool stack, and distributing traffic of interest across multiple tools.
A strategy that is often used to create synergy between the functions performed by various tools is the concept of tool chaining. Chaining is when two or more devices are linked into unified chains. Network traffic is sequentially passed along the links in the chain where each tool can then perform it’s intended function. The concept was born out of the need for multiple inline appliances to see the same data.
Tool chaining today has evolved to take on a broader meaning. With the prevalence of orchestrated and automated response solutions, applications in the tool chain can be out-of-band, and still shape and affect traffic. They can be a hybrid where all-in-one solutions are used alongside function specific solutions. The data shared across these tools can be real and replicated traffic data, as well as network telemetry and logging data (NetFlow/IPFIX, Syslog, SNMP, etc.) generated from inline devices. But despite this evolution in tool chaining, the problem of getting the right data to the right application persists.
Tavve’s PacketRanger is a key piece to the solution of ensuring applications in the network monitoring tool chain precisely get the data needed to perform optimally and efficiently. PacketRanger is a UDP packet broker that is out-of-band from the real traffic flow, and centralizes the collection of UDP network telemetry and management data from network devices. Using intelligent filtering, flexible data forwarding, anomaly detection and statistical analysis, PacketRanger is a robust solution that streamlines flow data into your monitoring tool chain.
The following diagram illustrates how PacketRanger is used to enable out-of-band Flow-Based DDOS and Threat Monitoring Solutions in the Tool Chain.
In this example above, NetFlow data is needed by both the DDOS mitigation tool and Threat Analytics tool. NetFlow data from the gateway routers is sent to a single destination, PacketRanger. PacketRanger using flexible data forwarding and filtering sends only the necessary NetFlow data to the NetFlow Performance analyzer, DDOS Mitigation tool, and APT Analytics tool.
Additionally, the APT Analytics tool also requires actionable events from the firewalls using Syslog. Syslog data from the firewalls is sent to PacketRanger. PacketRanger sends unfiltered syslog data to a compliance data lake, but filters out informational and low-value syslog data to send to the APT Analytics tool.
This example shows how PacketRanger can:
- Function as a single destination for Netflow and Syslog data.
- Use intelligent filtering to remove unwanted data from the tool chain.
- Replicate and direct UDP telemetry and logging data from multiple network devices to the appropriate application(s) in the tool chain.
PacketRanger’s robust performance and intelligent capabilities make it the perfect solution to manage UDP telemetry and management data within the network and security monitoring tool chain.