We’ve talked about the practice of network forensics multiple times on this blog. As we’ve discussed in the past, forensics is a great way to identify security breaches, monitor user activities, pinpoint intermittent performance issues, and perform business transaction analysis. There are two approaches to network forensics: the vertical approach, which uses a single box to capture all of the data for analysis from a single, centralized data feed, and a horizontal approach, which captures and analyzes data at edge points to gather real-time statistics.
If you are in the process of implementing network forensics – or maybe you already have – we highly recommend using the horizontal approach. Let’s take a look at why.
Single Point of Failure
First and foremost, a vertical approach creates a single point of failure because it is only using a single box for capture. If for some reason your box isn’t working, then your ability to capture and later examine data is non-existent. With a horizontal approach you can distribute storage of the data, so if one point breaks, you still have enough points to recreate and examine where the problem lies.
Massive Amount of Data to Sift Through
In addition to this, having a single point of capture also forces the network admin to sift through a ton of data with limited organization. A horizontal approach allows more granular visibility per network segment, so you can easily shuffle through data, determine the problem and go from there. Think of it as if you are storing your clothes in a pile on your floor or organizing them in a closet; yes you’ll still have to look in your closet, but it’s a much more organized way to find what you want.
Expensive to Scale
As more companies move to 10G, 40G, 100G (rose 62% from 2012) and server virtualization expands, the data on networks continues to grow exponentially. A vertical approach to network forensics can be extremely expensive to scale as this growth begins to rise, and may even be impossible, depending on the utilization of the centralized data capture point. A horizontal approach allows for greater flexibility in the data you capture, and could be less expensive if there are certain areas that don’t require analysis.
A horizontal approach to network forensics just makes sense. It not only helps save time and eliminates errors, but it provides flexibility and helps you scale your solution to meet the demands of your network, both today and in the future. Planning ahead and beginning to employ network forensics horizontally now will save you a ton of headaches and put your company’s network ahead of the curve.