pointer

Tag Archives: network performance monitoring

Top Trends in Cyber Security and Attacks

Posted on by .

    IT security experts have labeled 2011 as the “Year of the Hack,” and appropriately so. Last year saw a diverse group of breaches that were financially and politically motivated. While each attack has its own unique fingerprint, some common elements are emerging – the quiet, persistent and sophisticated nature of today’s attacks.

    If you compare a hack like the Microsoft MSBlaster Worm of 2003 to Sony PlayStation’s data breach of April 2011, the motivation, sophistication, and direct cost are in stark contrast. The MSBlaster was a fairly rudimentary Distributed Denial of Service attack, and the motivation behind it was hacker glorification, i.e. penetrating a system just to boast about it over beer. It caused mostly embarrassment to the effected companies, and more annoyance than actual monetary losses (though in some cases significant costs were incurred to wipe out the infections). On the other side, the attack on Sony was financially motivated and garnered credit card numbers, passwords, and other very personal information of 70M users directly costing Sony $170 million dollars and an estimated 10 to 100x that much in indirect costs.

    As Distributed Denial of Service (DDoS) attacks and viruses, which are oftentimes associated with the idea of hacking for hacking sake, have steadily gone down in recent years, Advanced Persistent Threats (APT) have gone up. APTs typically have political and financial motivation, and often include an element of revenge. According to a study by Bit9, of the 765 IT executives interviewed for their Endpoint Survey, 60% said that APT is the biggest fear they have with security breaches and 28% feared that theft and disclosure was coming from insiders—APT threats can often be an insider job, or at least aided by risky behavior from within the enterprise network.

    Advanced Persistent Threats are what the name implies: a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists. However, that just skims the surface of understanding what APTs are and how they can affect you, so let’s take a look at each of the words that define Advanced Persistent Threat.

    Advanced
    Hacking techniques have been continually evolving, becoming more advanced at every turn, and often in APTs hackers combine multiple targeting methods. Since the perpetrators of APTs have strong financial backing and serious motivation, they often take time to focus on operational security, not often done in more opportunistic, less advanced threats. But the methods need not always be advanced. Consider the Citigroup breach of 2011. Though the target and the purpose certainly categorize this attack as an APT, the method turned out to be incredibly simple. The perpetrators identified a security flaw in the web-based banking where once logged in with a known good account, they could simply change the account number in the URL string and immediately gain access to another account. It was then a simple task of writing scripts to first guess account numbers, and whenever a good one was found, to scrape the user information from the compromised account. Though perhaps not “advanced” in this case, the method was highly effective resulting in more than 200,000 compromised customer accounts.

    Persistent:
    As stated earlier, and as evidenced by the Sony and Citigroup attacks, APTs are not opportunistic, simply seeking an easy in for boasting rights. These are “low and slow” attacks, meaning they are relatively unnoticeable and steal information over a longer period of time. And the perpetrators will maintain long-term access to the target. Should access be broken along the way, every attempt will be made to regain access and continue with the attack. Similar to what Peter Gibbons was attempting to do in the movie Office Space.

    Threat
    APTs are typically backed by powerful, well-funded organizations (think organized crime or rogue governments), with the intent and the capability to achieve their goals. A key element includes coordination and execution by human action vs. automation, at least until a stealthy, automated process can be implemented that has limited risk of being identified. Oftentimes to stay under the radar an APT will remain manual and incorporate minimal automation.

    As APTs begin to grow and DDoS attacks and viruses become less of a threat, it is important to ensure that you have security policies in place to protect your network. Even though 28% of IT executives fear theft and disclosure will come from within, 60% of these firms are either using the “honor system” or have no internal security policy whatsoever. In addition, a recent survey by Ponemon Institute reported that although 90% of respondents had at least one breach in 2011, 40% of those surveyed had no clue where the breach stemmed from, and 33% could only identify the source of some attacks. Without a clear understanding of the source, how can you possibly protect yourself from another occurrence?

    In addition to the active security systems in place today, you need a security “insurance policy,” since it’s clear that today’s state-of-the-art security systems don’t do a complete job – after all, 90% of survey respondents had at least one breach in 2011, and 70% had two or more! This insurance policy takes the form of a network recorder, which passively records each and every packet traversing your network. When an attack happens, and statistics indicate it will, you’ll have a complete recording of the incident, allowing you to identify how the attack happened, what information was compromised and how tune your existing network security tools to prevent future breaches.

    To learn more about the trends and how to protect your network, check out our webcast “Cyber Security – IDS/IPS is Not Enough.”

      IP Video – It’s like Living with a Teenager

      Posted on by .

        Teenagers. Maybe you have one (or more) at home; maybe not. But we’ve all been one, so I know you can relate. Moody and unpredictable. Overly sensitive. Taking up more space than any human has a right to. High maintenance. They’re just so adorable.

        Well, it turns out we have an exploding data type on our networks that behaves much the same way – IP video. In a recent whitepaper by Cisco, it was reported that all forms of video (TV, VoD, Internet, and P2P) will be approximately 90% of the global consumer Internet traffic by 2015. And per the report, that’s 90% of what will be 966 exabytes, or nearly a zettabyte, of IP data. To see what that looks like graphically, check out this link. Although video traffic on the enterprise side will not be as heavy as that on the consumer Internet, it will increase dramatically nonetheless, and will certainly be much more than 50% of the enterprise network traffic by 2015. It looks like you’re going to need both network management and high school guidance counselor skills by 2015 to manage enterprise networks.

        With this dramatic increase in video traffic, video will be in competition with enterprise corporate data, enterprise application access, SaaS, and cloud computing. And given its tendency towards teenage behavior, you’re going to have your hands full. Below are a few details of how the characteristics of IP video can adversely affect your enterprise network.

        Unpredictable
        Video is “bursty,” or in the teenage analogy, unpredictable, which is an undesirable characteristic for networks that work best under stable conditions – predictable and consistent. Packet sizes range all over the place, and often hit the network in large bursts. And of course these bursts are tagged with high QoS (quality of service) tags, so they take precedence over your other mission critical application data. Characterization of your IP video traffic, including weeding out business traffic from surfing, is critical to the health of your enterprise network.

        Space Hog
        Video is a bandwidth hog. One HD video stream can consume up to 20Mbps of bandwidth. So if five people are trying to stream a movie, it means that they are taking up 100Mbps of your network. This may not seem like a ton of traffic, but depending on the distribution of these users on your network, and the number of users serviced, bandwidth availability can certainly become an issue. And remember, the amount of video on your network is increasing all the time.

        Overly Sensitive
        Video is also very sensitive to latency, jitter and packet loss, even more so than voice, which we covered in this blog post. These sensitive protocols demand that your network is performing at its peak level to ensure that these issues are minimized. As video becomes more common on the network, performance demands will continue to grow and become harder to reach. Specific metrics and demands of latency, jitter, and packet loss are described in more detail below with this video segment and graph:

        High-Maintenance
        Due to the high performance demands of video, it is typically tagged for the highest QoS delivery as I mentioned earlier. However, as video traffic starts exceeding data traffic, enterprises will need to maintain different quality of service between users or video types since it is self-defeating for most of the traffic on a network to have the highest QoS tagging.

        As video continues to grow, or as some might say invade, your enterprise network, it is more important than ever to plan and design your network to carry video. And just as the teenage years pass, the video phase will also pass in time, allowing networks to again hum along in a predictable pattern. That is, until the next disruptive technology come along! In next week’s blog, we’ll be providing some best practices on designing, monitoring, and managing your network to help that teenager grow up.

          Don’t Let the Network Get the Best of You: Take a Proactive Approach

          Posted on by .

            In our last post, we discussed research conducted by Jim Frey from EMA on what is hampering organizations from effectively managing applications and services: poorly documented or controlled changes to applications and infrastructure; poor coordination among support teams; and lengthy troubleshooting and root-cause analysis. If you are experiencing these problems, here are the top three strategies, defined both by EMA and WildPackets, that will take you from reactive problem-solving to a proactive performance assurance angle.

            1. Application Performance Is King.

            As a network professional, you need to know what is happening at the network layer, but the value that is most important and easily perceived by your users and the guys who sign your paycheck is in the application and service layer – i.e., are you quickly delivering information and results over the network?

            Having visibility into your applications is key if you want to quickly troubleshoot and solve issues when they arise. As a network engineer, request tools and develop processes that:

            • Protect the most important applications and services
            • Prioritize actions based on impact
            • Recognize new traffic contributors/aggravators and their sources before they become an issue
            • Find tools that have enterprise-wide visibility– visualize all applications on your network – and use
              them 24×7

            You may need a mix of application-aware instrumentation, from SNMP, flow-based monitoring, packet-based monitoring,  and synthetic and passive agents to cover all areas of your network. WatchPoint 2.0 is an excellent solution since it combines SNMP, flow-based monitoring, and packet-based monitoring in one package to deliver a more comprehensive management solution and keep costs down.

            2. Manage from Cradle to Grave.

            There is value to be gained by moving the typical monitoring, baselining, and characterization approaches that are used during production earlier into the application rollout process. This will help you better understand what impact new applications will have on your system.

            For example, take a VoIP project you may be starting/deploying. Before implementation, you need to establish a baseline of your current network performance, including numbers of users over time, peak usage times, average and peak latency measurements, etc. Networks have rhythms, so it’s best to assess network behavior over a long period of time, at least for several weeks and perhaps even for a month. Organizations can start this process by looking at their Internet connections, WAN links, WLAN environments, and data centers. We suggest you look into network analyzers to help you baseline.

            And of course it’s important to continue to monitor and baseline your network after you roll out your new VoIP deployment so you can quickly see whether or not the impact it has is consistent with your predictions.

            3. Take a Proactive Approach to Troubleshooting.

            Most people consider troubleshooting to be a reactive approach, but troubleshooting can be proactive as well. Proactive troubleshooting implies that constant and comprehensive monitoring is in place so that when errors arise they can be solved immediately, before they become major problems.

            It still surprises me how many enterprises invest in network monitoring and analysis solutions that are designed to operate 24×7, constantly analyzing the network for faults and providing up to the minute network statistics, only to use these solutions in an entirely reactive way – only after a network problem has been reported. You’ve already made the investment; why not leave that highly capable network monitoring and analysis solution running and let it provide ongoing analysis, 24×7, in the background on your system, always ready to alert you to issues on your network? In other words, use these solutions for proactive troubleshooting. For example, OmniEngines and Omnipliances have a whole series of Expert events running in the background, ranging from  layer 2 to layer 7 analyses. When an error occurs, you are automatically alerted and provided with information to isolate and solve the problem immediately.

            A proactive approach is the key to successful network management. Proactive analysis includes baselining your network before new applications and technologies are deployed in order to see exactly how they affect your network and whether or not the impact is as predicted. Proactive analysis also includes leveraging the full value of the network analysis solutions that may already be sitting on your shelf. Don’t let them sit idle! Plug them in and use them 24×7 to provide ongoing Expert analysis and alerts the instant that trouble begins brewing. Taking this approach will make your end users forget all about you, and in network management that’s a good thing! Just make sure the guys who sign your paycheck don’t forget about you…