Wednesday, May 25, 2005

Notes on Net Optics Think Tank

Last week I had the good fortune to be invited to speak at a Net Optics Think Tank event. Net Optics is a California-based maker of products which help analysts access traffic for monitoring the security and performance of the network. I recently wrote about the Net Optics tap built in a PCI card form factor. I also use their gear to conduct network security monitoring, as profiled in my first book.

The meeting offered attendees three sessions: the first two were conducted by Net Optics personnel, and I presented the third. The purpose of the sessions were not to sell products, but to solicit feedback from attendees. In fact, in some cases the "products" in question didn't exist yet. Rather than implement products customers might not want, or lacking desired features, Net Optics polls its clients and prospective customers and builds the gear those customers need.

The first presentation described the Bypass Switch. This is a really interesting product which I had not paid any attention to prior to the Think Tank event. It is primarily designed to work with inline devices like so-called intrusion prevention systems. Apparently many prospective IPS customers are reluctant to deploy an IPS inline along with their routers and firewalls. Either customers have grown to trust the reliability of those products, or routers and firewalls usually support clustering and/or active failover to mitigate the risk of network down time. IPSs are apparently not that mature. Enter the bypass switch.

As the diagram below shows, traffic is first sent to the bypass switch. The bypass switch ensures that the IPS is alive by sending special heartbeat packets through it. As long as the IPS is functioning (i.e., passing heartbeats), the bypass switch sends traffic to the IPS. Should the heartbeat packets fail to traverse the IPS, the bypass switch reroutes traffic to go directly through the switch, thereby avoiding the failed IPS.

This makes sense for a single IPS that is deployed inline and that supplements a filtering router and firewall. Using a bypass switch would not make much sense if the connected device was a site's only access control mechanism. Who would want traffic to pass if their firewall died?

If power is lost to the bypass switch, it will still pass traffic. It is truly a passive device. This is a big improvement over the average inline appliance, whose loss of power or operating system would bring the entire link down.

The innovation that Net Optics continues to apply to this scenario involves support for dual or multiple devices attached to the bypass switch. In other words, add a second IPS to complement the primary system. Should number one IPS die, route traffic through number two. There are additional opportunities for creativity here, so I suggest watching Net Optics for future product releases.

The second session discussed adding Simple Network Management Protocol (SNMP) support to Net Optics devices. This would allow a tap to report statistics similar to those provided by Cisco device interfaces. While this is useful, I recommended Net Optics provide hardware dip switches to completely disable the feature. Those that want "dumb" taps should still be allowed to deploy them!

Finally, Net Optics asked me to speak on how I conduct monitoring. I delivered a presentation on defensible networks, based on the chapter of the same name in my forthcoming book Extrusion Detection. Essentially, a defensible network is one that can be monitored, controlled, minimized, and kept current. If you would like to hear me speak on this subject, I will be offering a similar presentation at Techno Security 2005 on 13 June in Myrtle Beach, SC. Incidentally, the pictures showing me speak at the Net Optics Think Tank link to larger versions.

No comments: