Feb
25

Securing the Evidence of Network Threat Propagation

Original Entry by : Matt Walmsley

“Spot the bad guys, stop the bad guys,” are rational and valid goals when it comes to securing your network. In fact, many organisations commit the majority of their security resources and investment to defense and detection, often by deploying automated technologies and solutions. But by their very nature, such solutions focus on protecting against known vulnerabilities and threats, have little context of your own network and can’t be a complete security solution.

Attack vectors continue to diversify and accelerate and so many of the security threats now faced are unknown. Such unknown unknowns are therefore impossible to accurately anticipate. Combine that with threats that increasingly embedded themselves within your network and operate autonomously from external command and control functions, and it makes sense that early identification and understanding of anomalous and nefarious network traffic is fundamental to understanding, retarding and then eliminating the propagation pathways of attacks and the staging of malicious code.

Your network is the digital backbone and an essential resource of your organisation, but it’s also the conduit exploited by threats to propagate and infect. Identifying and understanding what, why and how such threats can propagate is key. When you combine your skills, experience, instinct and understanding with hard evidence and insight, then you give yourself the very best chance to make rapid, successful security interventions and actions that close down threat propagation.

Examining your network traffic before, during and after events of interest can provide you a source of actionable insight. Approaches to capture, indexing, search and recall of captured traffic can vary in cost and complexity, ranging from simple open source software tools to high performance, high fidelity Intelligent Network Recording solutions capable of operating at sustained link bandwidths up to 100Gb per second (100Gbps).

I recently shared some thoughts around how to use network recording and analysis for this  issue in our recent webinar “Stop Nefarious Network Hitchhikers: Controlling Threat Propagation” – in which we provided practical tips and techniques using freely available software tools that will enable you to identify, mitigate and close down the transmission pathways and expansion of threats. The webinar is available on demand for you if you’d like to find out more.

 

Tags: , ,
Posted in General, Network visibility | No Comments » Read More

Feb
24

Go on the Offensive with the Endace Fusion Connector for Sourcefire Defense Center

Original Entry by : rick.trujillo

There is an adage in the sporting world that states “the best defense is a good offense.” Some give credit to Jack Dempsey for that quote, but I had a basketball coach that would reverse that saying, “the best offense is a good defense.” I guess because most everyone on the team would focus on dribbling, passing and shooting and not so much on preventing the other team from scoring, much like the NBA. I guess to some degree that is true, if your opponent can’t score, you shouldn’t lose.  Most outcomes are decided on how well your defense is prepared for whatever the opposition can throw at you.

The same can be applied when it comes to security for enterprise networks. Whether you see deploying security detection, intrusion and forensic tools as taking an offensive or defensive position, the idea is the same, protect yourself against the so-called hackers.

Emulex has teamed up with Sourcefire (now part of Cisco) as part of the Endace Fusion Ecosystem™ Program and announced the Endace Fusion Connector for Sourcefire Defense Center. This solution offers a best-of-breed, comprehensive next-generation intrusion detection system (NGIDS) that provides complete forensics visibility of impacted data in the case of breaches, and enables proactive prevention of future threats.

The Endace Fusion Connector for Sourcefire Defense Center works by connecting users to the precise network packets that they need to diagnose, respond to and establish the root cause of a problem through an elegant and seamless workflow. EndaceProbe™ Intelligent Network Recorders (INRs) are deployed at strategic/relevant points across the network to provide 100 percent packet capture at speeds up to 100Gb Ethernet (100GbE). Leveraging the EndaceProbe INRs’ RESTful API, users can click on a Sourcefire Defense Center event and pivot straight to the packets of interest which are delivered to the user as a .PCAP or .ERF file for deep analysis in a protocol analyzer, such as Wireshark.

With total visibility, you gain contextual awareness, correlating extensive amounts of data related to IT environments to make more informed security decisions and implement policies and controls to defend your network. This allows you to rapidly gain deeper insight into critical problems and ultimately lower time to resolution (TTR).

So I guess my old basketball coach was right, the best offense is a good defense.  It just depends on the application. The new Endace Fusion Connector for Sourcefire Defense Center is available for free from the Sourcefire community downloads page.

Learn more about the Endace Fusion Connector for Sourcefire Defense Center here.

 

Tags: , ,
Posted in General, Network visibility | No Comments » Read More

Feb
21

Come visit Emulex at RSA and win a chance to be a fighter pilot for a day!

Original Entry by : sonny.singh

The Endace division of Emulex is exhibiting at RSA 2014 (Booth #2333, South Expo Hall) scheduled from Monday, February 24th to Thursday, February 27th at the Moscone Center in San Francisco, CA.

We will be giving presentations in our booth theatre every hour on topics ranging from how IT departments are deploying Endace Network Visibility Products to improve response times for security incidents to how our valued partners and customers are actually putting these solutions to use in real-world scenarios. We will have guest speakers from our partners including Lancope and Sourcefire in our booth theater presenting on topics including optimizing Security Operations (SecOps) workflows and improving network forensics capabilities to using NetFlow to streamline security analysis and response to cyber threats. Don’t miss it!

In addition to showcasing the Endace Network Visibility Products, we will be offering attendees the opportunity to win some great giveaways including a grand prize giveaway from Nationwide Adventure worth $1,500 and good for everything from race car adventures to being a fighter pilot for a day! With more than 18,000 adventures to choose from, you no longer have to wait for a mid-life crisis to make it happen. Everyone is a winner with Emulex because even if you don’t win the grand prize, you can still spin our “Wheel of Giveaways” and have a chance to win a bevy of gifts ranging from really cool Journey Cooler backpacks to Jawbone Jambox Bluetooth speakers!

And it doesn’t stop there… for showing our appreciation of being a valued customer and attendee, we offer you the opportunity to attend our much coveted customer appreciation cocktail party taking place Tuesday, February 25th, 8 p.m. to midnight at the world-famous Clift hotel in The Rita / Ava Room, which is located on the mezzanine level, and features dramatic white velvet curtains, etched Venetian mirrors and modern banquet furniture that is perfect for enjoying a nice dirty martini while you unwind with your industry peers! And if that doesn’t tickle your taste buds, we will also provide professional cigar rollers who will be on hand to roll you a cigar Don Corleone would even be envious of! Register now before it’s too late.

We look forward to seeing you all at RSA so come ready with curious minds and a healthy appetite for fun and adventure!

 

Tags: , , , ,
Posted in General | No Comments » Read More

Feb
18

Going for the Gold with Next Generation EndaceDAG Data Capture Cards

Original Entry by : rick.trujillo

Okay, I admit it I am a big sports fan, and just like many of you, I enjoy watching great competitions, unlike this year’s Super Bowl. That is unless of course  you’re a Seahawks fan. But every two years, we get treated to the Olympic Games. Whether they are the winter or summer games, the excitement and competition of each event include outcomes determined by fractions of a second. The Olympic judges have the benefit of precise timing equipment and instant replay to make decision on scoring each athlete. They are well aware that the accuracy of this equipment can be the difference between gold, silver or bronze, or maybe missing the podium altogether, not to mention national pride.

Another area where precise accurate timing and replay is essential is network packet capture and recording. Network and security operations teams gather and use this information to resolve network and application performance issues as well as security related events. But to make the recorded data valuable, it must be accurate (high-resolution timestamps), complete (not sampled), and collected from the right places in the network.

Emulex has strengthened its position as the leader in data capture and intelligent network recorders by introducing its next generation EndaceDAG™ Data Capture Cards with Precision Time Protocol (PTP) hardware timestamp capability. PTP is approximately three orders of magnitude (1000 times) more precise than previous technologies (e.g. network time protocol or NTP), offering sub-microsecond timing accuracy that can be implemented at a fraction of the cost of specialized network time appliances (e.g. GPS receivers). Unlike the competition, EndaceDAG Cards provide PTP support through a dedicated 1Gb Ethernet (1GbE) port, which increases your return on investment (ROI), effectively enabling all 10GbE ports on the card to be used for network data streams.

Next generation EndaceDAG Data Capture Cards offer a broad range of features and outstanding performance. EndaceDAG Cards capture 100 percent of available network traffic from the wire, timestamped and transferred to host memory without loss and without impact to live network traffic. This capability makes network key performance indicators (KPIs), such as network latency and packet loss, easier to measure and allows network operation teams to take quick, decisive action to remedy issues at the network packet-level and lower time-to-resolution (TTR).

The next generation o fEndaceDAG Cards provide industry-leading port density advantage with offerings in both dual-port and quad-port 10GbE configurations along with a dedicated PTP port. This effectively doubles port density and halves the price per port when compared to competing solutions that do not offer dedicated PTP ports. It provides a 2:1 port density advantage for customers using the dual-port EndaceDAG Card and a 4:1 port density advantage for customers using the quad-port EndaceDAG Card in PTP applications.

Furthermore, the EndaceDAG Card provides hardware-based processing of a host of enterprise protocols and encapsulated telecom protocols such as GPRS Tunneling Protocol (GTP) and Generic Routing Encapsulation (GRE) for load balancing, classification and filtering that allows EndaceDAG Cards to be deployed in core, mobile, enterprise and cloud network environments.

You can learn more about next generation EndaceDAG Data Capture Cards here.

 

Tags: , ,
Posted in Network visibility | No Comments » Read More

Feb
10

How to Keep Sochi From Sucking Up Bandwidth

Original Entry by : mike.heumann

The Sochi Winter Olympics are officially underway, and as you may have seen, NBC will once again be providing viewers access to live streaming in a multitude of mediums. On the NBCOlympics page, computer users can enter their cable or digital television provider personal user name and password and watch live video of the events. Mobile viewers can also download the free NBC Live Extra App. The iPhone, Droid and iPad app will have live and recorded events, and on demand HD video.  And for the first time, NBCUniversal will stream video on Facebook as part of a partnership deal with the social media giant.

The games run until February 23, which includes 10 business days of events.  Given the time difference, many of the events will air during normal working hours throughout the U.S.  As NBC makes it easier and easier to bring the Olympics viewing experience to the office, are network operations staff prepared for the potential bandwidth onslaught? Employees don’t always realize the impact they can have on network performance and don’t understand how watching something as exciting as the cross country skiing finals could impact their entire company.

Streaming video can be an enormous bandwidth hog and can occupy much more network resources than almost any other application. At a remote office location, even one person watching live video coverage of the Olympics can bring an entire LAN to a standstill. And it doesn’t take more than a handful of viewers at large sites to slow the network to a point where customers have difficulty accessing the company’s Web site or the quality of Internet-based telecommunications tools (like Skype) degrades.

This problem has only been exacerbated by the influx of personal mobile devices into the enterprise, all of which are sucking up bandwidth from the corporate wireless network, which is generally more bandwidth constricted than the fixed-line Ethernet network.

The only way to analyze this traffic and be able to reroute it or add more capacity is to have full visibility into the network.  There are a couple of “best practices” that make performance of this task more likely to result in a successful outcome.  These include:

  • Baseline your networks BEFORE you need to start “allocating” bandwidth.  If you know what your normal network needs are, you are in a better position to set Quality of Service (QoS) policies to guarantee bandwidth for your mission-critical applications.  Most importantly, don’t be satisfied with simply knowing the “average” bandwidth required – look across a several-day baseline to see usage by hour, and pay close attention to if/when you have microburst activity (applications causing his will most likely be the ones impacted first if your network becomes saturated).
  • Since it is likely that most “non-business web browsing” will happen on Bring your Own Devices (BYODs), which are nearly universally wireless, think about isolating your wireless network from your mission- critical network, and consider putting limits on the outside bandwidth served to that network.
  • Monitor your network closely, and look for signs of issues proactively.  High-resolution network visibility tools are critical to ensuring you will see problems before they impact your enterprise.
  • Assume you will run into issues, and plan what your options are when they occur.  If your playbook has already thought-out and documented options to deal with issues, it is far more likely that you can mitigate issues quickly.

Learn more about our network visibility solutions here, and we, like many others around the world, look forward to watching the best of the best compete in Sochi for this year’s Winter Olympics!

** this blog was originally posted to APM Digest

Tags: , , , , ,
Posted in General, Network monitoring best practice series, Network visibility | No Comments » Read More

Jan
31

Let it (Net)Flow…

Original Entry by : Matt Walmsley

NetFlow as a network monitoring and statics technology is not new. To make it work, you need to sample the network and generate NetFlow records, which are sent to a NetFlow collector software application for analysis. NetFlow has been widely adopted and many organisations have invested time and money in learning how to use NetFlow tools to help their network operations teams understand how their network is performing and what is creating fluctuations in traffic.

Back in the day, you’d have your routers and switches generating these records at pre-defined sampling rates, but as network performance continues to scale to 10Gb Ethernet (10GbE), 40GbE and even 100GbE connections, then on-board sampling by the network infrastructure devices begins to create overhead – particularly when the sampling rate needs to increase to create a higher resolution statistical summary of what’s going on. Add that to the fact that an increasing number of high-end network infrastructure devices do not even support NetFlow as a standard, we’re seeing an increasing need to find alternate ways of generating NetFlow records in today’s high speed data centre network links.

Enter the NetFlow Generator – a dedicated device that has the performance needed to monitor traffic on links and provide NetFlow records, high speed sampled or even un-sampled (i.e. generating a complete description rather than a statistical model), of the network traffic flows. Our EndaceFlowTM 3040 NetFlow Generator Appliance (NGA) delivers 100 percent accurate NetFlow generation.  We think it’s a fantastic solution and so did Network Computing who recently reviewed it and found “It’s clearly capable of handling very high traffic loads and during testing we found it remarkably easy to deploy and manage.”

NetFlow generators such as our EndaceFlow 3040, help organisations gain operational insight into their high capacity networks, allowing them keep their business working 24/7. For example, we recently helped one of the largest suppliers of electronic consumer goods in the world do just that – why not read our case study to find out more.

 

Tags: , , ,
Posted in General, Network visibility | No Comments » Read More

Jan
29

APM Digest guest blog: Reducing the Risks Associated with Deploying New Network-Centric Applications

Original Entry by : mike.heumann

I am pleased to have the opportunity as a guest contributing blogger to APM Digest sharing our thoughts on the industry, best practices, and trends. Here is my first blog entry, focused on reducing risks associated with deploying network-centric applications.

~~

It has been clear for quite some time that the network has become the lifeblood of nearly all enterprises.  This is not just true for obvious network-centric enterprises such as retail sites or content distributors, but also for enterprises that utilize distributed applications such as SAP, Oracle, or any number of other network-centric applications.  Over the past few years, a number of new enterprise technologies have emerged that are critically reliant on network performance, but where this reliance is not necessarily obvious.  These technologies include enterprise-class Voice over IP (VOIP) telephony solutions, Virtual Desktop Infrastructure (VDI) solutions, and enterprise collaboration tools.  While the vulnerability of “classical” distributed applications to network performance issues are well-understood, it is quite a different matter for a VDI session to momentarily “freeze,” or for the CEO’s VOIP call to get disrupted due to network issues.  In short, these issues are far more visible than those associated with classical distributed applications, and as technologies such as software-defined networks (SDN) and hybrid private-public enterprise clouds become more prevalent, these issues are likely to become more pronounced rather than less pronounced.

So what do IT departments need to ensure that they can provide the levels of performance from these new technologies that users expect?  The most obvious answer is that they need to know what is really going on in their networks.  While this sounds trite, it is far more difficult than one might expect.  Causative such as microbursts, timeouts, and protocol errors can be difficult to detect with conventional application performance tools, and tying these causative events to the specific “new technology” outages can be even harder.  Given that many of these causative factors can be intermittent in nature certainly doesn’t help.  This is one of the primary reasons that many enterprises have introduced dedicated “network visibility fabrics” that provide instrumentation at key points in the network, exposing the full set of network packets and flow data that underlie these causative issues.  While network visibility fabrics do not prevent these issues from occurring, they do speed the ability to resolve issues, which helps to avoid “outages” of network-centric technologies such as VDI, VoIP, network collaboration tools, and SDN frameworks.

As with most human endeavors, one of the “best practices” for making good decisions is to have the right data.  Even the best decision-making processes can be led to wrong decisions by not having the right data.  As networks (and the applications that depend on them) become more complex and carry more types of data, it becomes more imperative to have the right data to avoid making “guesses” as to what is causing network issues.  Look to see more enterprises implementing network visibility fabrics as dense 10Gb Ethernet networks become more prevalent, and more enterprises start to deploy these new technologies.

Tags: , ,
Posted in General, Network visibility | No Comments » Read More

Jan
15

Network Visibility Makes a Clear Difference to IRESS

Original Entry by : Matt Walmsley

IRESS, a global financial services and trading company, relies on its 10Gb Ethernet (10GbE) network for timely interactions with its customers – completing trades and providing data for trading decision-making. As they are completing make-or-break transactions by the minute, network performance and security is critical to IRESS’ business and service delivery.

In this environment where there’s no tolerance for network delays or security breaches, IRESS turned to the Endace division of Emulex for our network visibility solution which consists of:

With our Endace network visibility solution, IRESS was able to consolidate a number of management tools for tracking packets, thereby reducing maintenance time and overall operational expenditures (OPEX). The beauty of our Endace network visibility solution is that it not only did the job of a number of tools in use, it exceeded their capabilities by providing faster packet retrieval.

Read the full IRESS customer story here to find out how IRESS maximized their network visibility with Endace network visibility solutions.

 

Tags: , , , ,
Posted in Financial Services, Network visibility | No Comments » Read More

Jan
06

We didn’t think Splunk could do DPI. Our testing proved it can!

Original Entry by : admin

By: Alistair Meakin, MarQuest

As a certified Splunk partner, and provider of network operations and security consultancy, MarQuest has extensive knowledge of the benefits Splunk brings to network operations (NetOps) and security operations (SecOps) teams. Curious about the Endace Fusion Connector for Splunk, we completed an independent evaluation of it to assess its usability and benefits. By installing, deploying and using the application, we looked for answers to the following questions:

  • Is the application likely to add value to IT operations?
  • How usable is the application?

A little background

As you’ve guessed by the title, we were impressed by what we found, but let’s start with the real issue at hand – forensic s packet capture.  Determining what happened to cause a network incident, particularly those that damages end user experience or compromise security, is critical. Forensics packet capture is the heartbeat of post-incident analysis. A significant challenge for retrieving relevant data from a forensics capture can be the issue of finding small amounts of data from very large data sets – the “needle in the haystack.” Moreover, with 10Gb Ethernet (10GbE) and more and more mobile devices used for business, where smaller flows are created, actually collecting all the network traffic can be an issue.

Splunk

We deal with networks all day and all night and know that Splunk is a very useful tool for NetOps and SecOps teams. A Splunk dashboard, either customized or from specific apps, shows high level information created from a network incident, such as a service level agreement (SLA) non-compliance or a suspected distributed denial-of-service (DDoS) attack.

Typically, following notification of an incident, NetOps or SecOps staff will gather data packets from the infrastructure, particularly in cases where bit-level information may be useful. Since packet analysis systems generally run independently from any log collation systems, the engineer needs the time of the event from the logs, then determines which protocol ports are relevant and then manually data mines any available packet captures, repeating this process until a root cause or critical item of information is identified. We’ve experienced lengthy delays in resolving an incident, sorting through piles of data.

Wouldn’t it be nice…

We’ve often yearned for a way to make the process of identifying packets related to a log event faster. The payoff would be huge in time savings to our clients. Also, if the system for obtaining packets could be simplified, a skilled analysis can be presented with packets from a non-specialist and so could work more efficiently.

Enter the Endace Fusion Connector for Splunk

We now present our findings of the Endace Fusion Connector for Splunk! It not only achieves this objective by providing an automatic packet forensics search directly from an event reported by Splunk, but it results in a 50 percent reduction in the time taken to get  to the information and insight you need to make an informed and effective decision!

For example, if a server reports high interface usage, packets for this server, starting before the event and finishing afterwards, are needed for analysis. Without the Endace Fusion Connector for Splunk, I had to search Splunk for the event time, location and IP address details and then manually search for and recovering the associated packets from the Endace probe.  This took me around 2 ¾ minutes, even when I instinctively knew the process. When I then enabled the Endace Fusion Connector for Splunk, the time taken reduced to about 75 seconds, an impressive time saving of around 55 percent.

We took our measurements from real-world operations and can see how the time saving easily could be a critical factor in preventing a seemingly benign security attack from escalating into a serious incident. We were also impressed with the ease with which packet captures can be obtained with the Endace Fusion Connector for Splunk. Knowledge of the forensics analyser is not required and the process of obtaining packets is just a few clicks in the Splunk GUI, freeing up senior personnel up for more productive activities.

Read our full report – Solution Testing Brief: The Endace Fusion Connector for Splunk here!

 

Tags: , , ,
Posted in General | No Comments » Read More

Jan
03

Starting 2014 with a bang (and a new EndaceProbe INR release)!

Original Entry by : admin

By: Andy Summers, product engineer

The beginning of any new year is the perfect time to build upon the positive momentum of its predecessor and what better way to start than with the new EndaceProbe™ Intelligent Network Recorder (INR) EP5.1.3 release which does exactly that!

Whilst there’s too much to cover in this blog alone, I’ve focused on some of the key additions to our network visibility tool EndaceVision ™ to give a flavour of the new capabilities that this release brings.

Breakdown by data source

With network topologies becoming increasingly complex and dynamic, it’s getting harder to keep track of traffic coming from any given network segment or device.  The data source breakdown takes the guesswork out of locating the traffic you need by identifying EndaceProbe INR capturing packets relevant to your current search.

Breakdown by IP version

Whether you’re troubleshooting issues with IPv6, investigating an address resolution protocol (ARP) storm, or just keeping a weather eye on network baselines, understanding the relative mix of IPv4, IPv6 and non-IP traffic is a good place to start.  This is now easier than ever with the ‘breakdown by IP version’ providing an at-a-glance overview enabling rapid identification of anomalies and isolation for further analysis.

Time zone support

Whilst UTC (Coordinated Universal Time) is the time zone of choice for academics and aviators, it is rare to find a user who expresses their problem using it.   In recognition of this, it is now possible to select the time zone most relevant to your current investigation, eliminating the need for manual conversion.  Tracking traffic across time zones is still a breeze though as EndaceProbe INRs share a common understanding of time, ensuring the traffic you see at noon Central in Chicago was captured at the same time as traffic from your EndaceProbe INRs in London.

‘Well known’ port toggling

In addition to L7 aware application identification, EndaceVision assists analysts by identifying the Internet Assigned Numbers Authority (IANA) registered application associated with ‘well known’ universal datagram and transmission control protocol (UDP and TCP) ports.  We acknowledge that this may prove confusing when proprietary protocols are run over these ports, so we now offer the option to toggle this capability on and off.

EndacePackets

EndacePackets ™, our web based protocol decode capabilities have also been enhanced with it being easier than ever to increase the number of frames viewed and understand where any given one is located relative to its fellows.

It’s time to welcome in the New Year.  2014 is going to be an exciting one for us and I’m confident you’ll agree that the latest version of our EndaceProbe INR solution gets it off to a great start.

To obtain the latest EndaceProbe INR firmware and take advantage of these exciting new features, please contact your Endace sales representative.

Contact Endace Tech Support to get this upgrade for your EndaceProbie INRs and start 2014 with the highest level of network visibility possible!

Tech Support:
US Toll Free: +1 866 501 3356
UK Toll Free: +44 0800 051 3887
Australia: +61 1800 144 708
New Zealand: +64 7 959 2630

 

Tags: , ,
Posted in General, Network visibility | No Comments » Read More

« Older Entries

Archives

Categories