设计现代网络安全策略并非易事,因为它必须保护复杂网络的所有组件,同时对性能的影响有限。正如预期的那样,体育博彩平台推荐得到了很多关于内联和带外安全部署之间的差异以及是否需要网络tap或旁路tap的问题。今天的安全策略结合了这两种场景,并使用了一套主动阻止和被动监视工具。首先,让体育博彩平台推荐澄清带外和内联的概念和术语。这些概念是由部署到要监视和保护的特定网段的工具和策略决定的。术语内联和带外通常是指解决方案在网络流量中的位置,或者直接在数据流中实时处理数据(与关键链路一起使用),或者在流之外处理数据副本(在整个网络中使用)。
使用带外安全策略检测威胁
带外是指通过分析数据包数据来优化网络性能的监控工具。带外工具位于直接流量之外,被动地处理数据包数据,分析实时数据流的特定方面。在安全应用中,该分析通过保证数据质量和完整性来提高取证检测,降低MTTR (Mean time to resolution),从而更快地进行分析和解决。带外安全工具的一个例子是入侵检测系统(IDS)。IDS监视流量数据,查找恶意活动或策略违规,并记录事件,触发IT管理员响应的报告。威胁检测分析安全生态系统,以识别任何可能危及网络的东西。另一个常见的带外安全解决方案是安全信息和事件管理(SIEM)。SIEMs根据流经工具的流量及其反应方式收集从网络工具和硬件事件日志生成的数据,从而提供对安全警报的实时分析。对于无法生成事件日志的设备,SIEM上的数据包解码器可以评估数据包头,识别错误,并从丢失的位置创建日志。数据丢失预防(DLP)是一种解决方案,旨在确保只有经过授权的人才能访问敏感文件,因为人为因素通常是网络中最脆弱的点。DLP可以生成关于正在使用的数据的报告,如果敏感文件被错误地共享,则会断开连接,并且可以实时主动地从文档中删除敏感信息。网络分析器或取证工具捕获、记录和分析网络数据包,以确定网络安全攻击的来源。取证工具旨在从网络流量数据中收集证据,这些数据是从不同的站点或设备(如防火墙和IDS)收集的。您可能会问,这些带外安全工具如何获取数据包数据?如果您考虑的是交换机的SPAN端口,那么您只对了一部分。有两种方法可以将数据包数据传输到这些带外安全工具。正如您现在可能听说的那样,SPAN端口通常用于低吞吐量情况,并且容易丢失数据包、重复数据包、经历人为错误,并且在技术上可能被黑客攻击—这不是现代安全策略的好方法。许多IT团队在其带外安全策略中面临的最大挑战是确保他们没有丢失的数据包或可能掩盖威胁的盲点。这就是为什么大多数现代网络都包含可见性结构的原因。在最近的一份报告中,EMA[企业管理协会]“建议企业在接入层尽可能多地使用tap,以避免网络性能影响并确保数据包保真度。”最重要的是,tap是一种简单的、完全可靠的方式,可以提供100%的可见性,以确保安全策略的成功。对于监控大量网段的网络,网络tap可以轻松地提供数据包代理,以提供进一步的流量梳理、聚合和负载平衡,从而简化您的连接架构。
主动保护与内联安全策略
Inline refers to network devices like routers, switches, and firewalls that are considered critical to the function of an enterprise network. Any failure or performance degradation of these devices typically results in dropped packets or errors in the computing programs and processes. Also, these inline devices can create or unexpected downtime, which can lead to revenue loss, impacting company reputation and disruption of services.
Inline tools are designed to protect these critical links and devices within the network. To do this, instead of passively analyzing copies of the data like their out-of-band brethren, these tools sit directly in the traffic to actively process original data to block threats before they get to devices or other parts of the network.
A common inline tool example is Firewalls. Firewalls typically sit at the front line of a network acting as a company’s main network connection to the outside world, this “critical link” acts as a liaison between devices in the network. The firewall is designed as a policy enforcer to prevent unauthorized access to data, ensuring network confidentiality. Only traffic defined by firewall policy is allowed on the network – any other traffic attempting to access is blocked. Next-Gen Firewall (NGFW) have additional features beyond a traditional firewall, such as IPS, Anti-virus, and URL filtering capabilities.
Another critical inline security tool is an Intrusion Prevention System (IPS), which is a network security and threat prevention technology, that provides real-time inspection of network traffic to detect and prevent threats. The IPS is designed to block break-in attempts that cause data theft, ensuring network integrity. Any suspicious or malicious packets are dropped from the live network stream.
While a firewall protects the network, a Web Application Firewall (WAF) protects web applications running on the servers by applying rules to HTTP traffic to protect against attacks like cross-site scripting and SQL injections. The WAF is a device designed to stop web-based application attacks.
SSL Decryption is deployed inline to encrypt packets so that sensitive information cannot be gathered as it travels over the network or internet, protecting information like passwords, credit card information, bank account information, etc. In order for security tools to do their job, they need access to traffic in an unencrypted state.
DDoS (Distributed Denial of Service) protection actively mitigates a targeted server or network from a distributed denial-of-service (DDoS) attack, ensuring network availability. There are both out-of-band and inline applications for DDoS protection. Passive DDoS mitigation sometimes takes several minutes to identify attacks and perform mitigation. Attackers can recognize this window of opportunity and adapt to exploit with burst attacks. Inline DDoS mitigation solutions detect and mitigate attacks in seconds, providing more accuracy for rapid response mitigation. Inline DDoS protection is often used in tandem with deep packet inspection (DPI). DPI inspects the data being sent in detail, and usually takes action by blocking, re-routing, or logging.
I know what you’re thinking — let’s add TAPs and packet brokers, as clearly these inline security solutions must demand 100% packet data! And again, you are partially correct. Inline security tools require a specific set of visibility solutions — inline bypass TAPs.
All of these active blocking devices are sitting in the direct stream of traffic. What happens to the network if there is an issue with the device? Just shut it down? Pull the plug? Or, my inline device has built-in bypass. We all wish it were that easy. With 24/7 networks whose sole business relies on accessibility and quality or service — network downtime is unacceptable.
Internal bypass software sounds good in theory, but if the device goes down, you still have to replace it and take the link down, creating a single point of failure. Not to mention adding internal or built-in bypass options to your inline tool tends to cost more than your external option. An external bypass prevents that SPOF possibility, while also providing a host of benefits. No maintenance windows, imagine that. Operation isolation and tool sandboxing means you can easily take tools out-of-band for updates, installing patches, maintenance or troubleshooting to optimize and validate before pushing back inline. And alongside those added maintenance benefits, an external bypass provides that additional network resilience, with the flexibility to bypass the tool and keep the network up in the case of a failure, or to failover to a high availability [HA] solution. Bypass TAPs are a no brainer for your inline security strategy.
We also hear from many security teams that they are looking for ways to simplify their security stack by incorporating inline hybrid devices like 体育博彩平台’s EdgeLens, which allows you to manage a whole host of both inline and out-of-band tools from one device, providing the reliability of a bypass TAPs with the advanced features of a packet broker.
Looking to add inline or out-of-band security monitoring solutions, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
