Cost savings and improved visibility for major financial institution
Provides the ability to select only interest traffic to send to their sensors.
A financial institution has redundant firewalls and an asymmetrical routing pattern within their network. This means that in order to see traffic that enters one side of the network and exits via the other side, numerous analysis and security devices are required.
If an examiner is trying to collect information about a virus or attack that is coming in one path and exiting another, that information is gathered by two analysis tools. The trace files from those tools would need to be merged manually, or consolidated at another console to see the entire conversation.
The solution from Datacom Systems passively taps the connections between the routers, ensuring that no traffic is lost or interrupted between these devices.
To collect Intrusion Detection data on conversations traversing two network segments, two IDS sensors are required. Again, this information traffic from each sensor needs to be collected and consolidated, although many IDS Management Software programs handle this aspect at the IDS Management Workstation.
SPAN ports must be setup to collect information for the analysis tools. SPAN ports are configured on the network routers/switches. The risk associated with SPAN ports is that network administrators can turn them on or off, and reassign them to different ports. If an unauthorized change to the SPAN occurs, then the analysis tool may not see the required traffic.
The solution passively taps the connections between the routers for both asymmetric routes. This passive tapping ensures that no traffic is lost or interrupted between these devices.
The solution gives administrators the ability to select only interesting traffic to send to their sensors. Filters can be based upon port ranges, IP addresses or ranges, MAC addresses or ranges, or other information in the packet header. This hardware based, line rate filtering technology can eliminate sensor oversubscription. Since many sensor network interface cards struggle to collect information at line-rate, filtering gives these devices the ability to focus on interesting traffic, or traffic from particular networks or VLANs.
After tapping and filtering, the traffic is aggregated to bring together the streams from both network segments. This aggregation gives the ability of the IDS sensor and the analysis tool to see traffic from BOTH network segments.
This design allows the financial institution to deploy only two network analysis devices, one analysis sensor, and one IDS sensor, each with a single interface. With hardware based, line- rate filtering technology, the sensors are setup to limit oversubscription and see both network segments simultaneously.
The savings associated with this deployment is demonstrated by the elimination of an extra analysis tool and IDS sensor along with their associated recurring licensing, maintenance and management costs.
If the administrators decide to have redundant analysis tools or IDS sensors for business continuity purposes, the filtered single stream provides four monitoring ports in either copper or fiber media with 10/100/1000 Mb ports.
The design allows the financial institution to deploy only two network analysis devices, one analysis sensor and one IDS sensor, each with a single interface. This design has saved the company almost $55k.