Designing a modern security strategy is no easy feat, as it must protect all components of a complex network, while having a limited effect on performance. As expected, we get a lot of questions about the differences between an inline and out-of-band security deployment and whether or not network TAPs or Bypass TAPs are needed.
Today’s security strategies incorporate both scenarios, with a suite of active blocking and passive monitoring tools. First let’s clear up the concepts and terminology of out-of-band and inline. These concepts are determined by the tools and strategies you are deploying to the specific network segments you are monitoring and protecting.
The terms inline and out-of-band typically refer to where the solution sits in the network traffic flow, either directly in the data flow, processing data in realtime — used with critical links, or out of the flow, processing copies of the data — used throughout the network.
Detecting Threats with Out-of-Band Security Strategies
Out-of-band refers to monitoring tools that analyze packet data to optimize network performance. Out-of-band tools sit out of the direct traffic flow and passively process packet data, analyzing specific aspects of the live data streams. In security applications, this analysis is used to improve forensic detection and reduce MTTR (Mean time to resolution) by guaranteeing data quality and integrity, leading to faster analysis and resolution.
An example of an out-of-band security tool would be an Intrusion Detection System (IDS). IDS monitors traffic data looking for malicious activity or policy violations and logs events, which trigger reports for IT Admin to respond. Threat detection analyzes the security ecosystem to identify anything that could compromise the network.
Another common out-of-band security solution is a Security Information and Event Management (SIEM). SIEMs collect data that is generated from network tools and hardware event logs based on the traffic flowing through the tool and how it reacted, providing real-time analysis of security alerts. For devices that can’t generate event logs, packet decoders on the SIEM can evaluate packet headers, identify errors, and create logs from locations if missing.
Data Loss Prevention (DLP) is a solution designed to make sure that sensitive files are accessed by only those authorized, as the human element is usually the most vulnerable point in the network. DLP can generate reports on what data is being used, drop connections if sensitive files are being shared incorrectly, and can actively remove sensitive information from the document in real time.
Network analyzers or forensics tools capture, record and analyze network packets to determine the source of network security attacks. Forensics tools are designed to collect evidence from the network traffic data, collected from different sites or devices, such as firewalls and IDS.
You may ask, how do these out-of-band security tools get packet data? And if you are thinking SPAN ports from the switch, you are partially correct. There are two ways to get packet data to these out-of-band security tools. As you may have heard by now, SPAN ports are generally used for low throughput situations and are prone to drop packets, duplicate packets, experience human error and technically can be hacked — not a good recipe for a modern security strategy.
Top challenges many IT teams face with their out-of-band security strategies are ensuring they have no dropped packets or blindspots that may mask threats. It’s this reason most modern networks incorporate a visibility fabric. In a recent report, EMA [Enterprise Management Associates] “Recommends that enterprises use TAPs as much as possible in the access layer to avoid network performance impacts and assure packet fidelity.” The bottom line is TAPs are an easy full-proof way to deliver 100% visibility to ensure the success of your security strategy. For networks that are monitoring a vast amount of network segments, network TAPs easily feed into packet brokers to provide further traffic grooming, aggregation and load balancing to streamline your connectivity architecture.
Active Protection with Inline Security Strategies
Inline refers to network devices like routers, switches, and firewalls that are considered critical to the function of an enterprise network. Any failure or performance degradation of these devices typically results in dropped packets or errors in the computing programs and processes. Also, these inline devices can create or unexpected downtime, which can lead to revenue loss, impacting company reputation and disruption of services.
Inline tools are designed to protect these critical links and devices within the network. To do this, instead of passively analyzing copies of the data like their out-of-band brethren, these tools sit directly in the traffic to actively process original data to block threats before they get to devices or other parts of the network.
A common inline tool example is Firewalls. Firewalls typically sit at the front line of a network acting as a company’s main network connection to the outside world, this “critical link” acts as a liaison between devices in the network. The firewall is designed as a policy enforcer to prevent unauthorized access to data, ensuring network confidentiality. Only traffic defined by firewall policy is allowed on the network – any other traffic attempting to access is blocked. Next-Gen Firewall (NGFW) have additional features beyond a traditional firewall, such as IPS, Anti-virus, and URL filtering capabilities.
Another critical inline security tool is an Intrusion Prevention System (IPS), which is a network security and threat prevention technology, that provides real-time inspection of network traffic to detect and prevent threats. The IPS is designed to block break-in attempts that cause data theft, ensuring network integrity. Any suspicious or malicious packets are dropped from the live network stream.
While a firewall protects the network, a Web Application Firewall (WAF) protects web applications running on the servers by applying rules to HTTP traffic to protect against attacks like cross-site scripting and SQL injections. The WAF is a device designed to stop web-based application attacks.
SSL Decryption is deployed inline to encrypt packets so that sensitive information cannot be gathered as it travels over the network or internet, protecting information like passwords, credit card information, bank account information, etc. In order for security tools to do their job, they need access to traffic in an unencrypted state.
DDoS (Distributed Denial of Service) protection actively mitigates a targeted server or network from a distributed denial-of-service (DDoS) attack, ensuring network availability. There are both out-of-band and inline applications for DDoS protection. Passive DDoS mitigation sometimes takes several minutes to identify attacks and perform mitigation. Attackers can recognize this window of opportunity and adapt to exploit with burst attacks. Inline DDoS mitigation solutions detect and mitigate attacks in seconds, providing more accuracy for rapid response mitigation. Inline DDoS protection is often used in tandem with deep packet inspection (DPI). DPI inspects the data being sent in detail, and usually takes action by blocking, re-routing, or logging.
I know what you’re thinking — let’s add TAPs and packet brokers, as clearly these inline security solutions must demand 100% packet data! And again, you are partially correct. Inline security tools require a specific set of visibility solutions — inline bypass TAPs.
All of these active blocking devices are sitting in the direct stream of traffic. What happens to the network if there is an issue with the device? Just shut it down? Pull the plug? Or, my inline device has built-in bypass. We all wish it were that easy. With 24/7 networks whose sole business relies on accessibility and quality or service — network downtime is unacceptable.
Internal bypass software sounds good in theory, but if the device goes down, you still have to replace it and take the link down, creating a single point of failure. Not to mention adding internal or built-in bypass options to your inline tool tends to cost more than your external option. An external bypass prevents that SPOF possibility, while also providing a host of benefits. No maintenance windows, imagine that. Operation isolation and tool sandboxing means you can easily take tools out-of-band for updates, installing patches, maintenance or troubleshooting to optimize and validate before pushing back inline. And alongside those added maintenance benefits, an external bypass provides that additional network resilience, with the flexibility to bypass the tool and keep the network up in the case of a failure, or to failover to a high availability [HA] solution. Bypass TAPs are a no brainer for your inline security strategy.
We also hear from many security teams that they are looking for ways to simplify their security stack by incorporating inline hybrid devices like Garland’s EdgeLens, which allows you to manage a whole host of both inline and out-of-band tools from one device, providing the reliability of a bypass TAPs with the advanced features of a packet broker.
Looking to add inline or out-of-band security monitoring solutions, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.