<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Protect Your Network: Know Your Baseline Traffic

December 27, 2016

Everyone knows that a standard doctor’s visit begins with a review of your vital signs. They take your blood pressure, check your breathing, read your pulse and take a look at your eyes, ears, nose and throat to get complete picture of your health. By taking baseline readings each time you visit, the doctor can monitor for anything out of the ordinary.

The same process applies for understanding the health and security of your network. Taking baseline readings for your network traffic is the first step to efficiently spotting potentially fraudulent activity.

Every manager needs to create a framework for understanding what network activities are normal and which should be considered aberrations. Here are some tips to get you started.

 

How to Determine a Baseline for Your Network Traffic Data

  1. Knowing what IP addresses are allowed to access the network: By performing a basic IP scan, you can learn which outside IP addresses are generally allowed talk to your network. When unknown IP addresses try to access the network, you will know to look into the suspicious activity. For additional visibility, you can find lists of IP addresses that are known to be used to deliver malware and cross-check network activity against them.

  2. Understanding your balance of network traffic: Understanding baseline traffic patterns is critical. Start analyzing the data at the WAN – the point where your network truly begins. Look at the balance of internal traffic vs that sent externally. Examine average load per server and key business application. Regardless of how your environment is set up – virtualized or hierarchical – you need to ascertain how often your critical data stores are accessed.
  1. Evaluating peak vs normal conditions: When persistent attacks are launched, hackers try their best to mimic normal conditions but their additional activity should still leave a trail. If you see peak traffic levels during traditionally off-peak periods, you may have an issue.

Baseline_Graph.jpeg
 


>> Download Now: Network TAPs 101 [Free eBook]

 

Dangers of Not Knowing Your Baselines

Back in 2015, cyber criminals launched a Trojan and Botnet attack that took remote control of bank computers at 100 different institutions in 30 countries. After they gained access to the network of banking computers, the attackers wired billions of dollars to fraudulent accounts. These attacks lasted an extended period of time, but could have been avoided.

Had any of the banks under attack understood the importance of baselines, the monetary losses could have been much lower. They would have identified the consistent increase in outgoing traffic patterns and noticed that there was a problem. In the end, a bank in the U.K. noticed some suspicious traffic patterns, began questioning it and was able to finally put a stop to the attack.

By understanding what is normal for your network, you can avoid a fiasco like the one these banks went through.

 

Visibility is the First Piece of the Puzzle

There’s no denying that total network visibility is essential to security. While creating a baseline covers a piece of the puzzle, you still have to ensure your physical security wall is strong. Implementing quality firewalls, web app firewalls and advanced threat detection systems all contribute to a smart cyber security system. However, without baseline traffic data, you won’t be able to accurately interpret the data these appliances provide.

 

Looking to add a visibility solution to better baseline your traffic, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.

 IT security garland Technology tool deployment

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES