By: Dan O’Donnell
I am on a plane to Seattle to talk with Network Engineers, Architects and Managers about network security. The attendees at this Net Security conference are responsible for corporate, government, e-commerce and service provider networks. If there is a job on earth that will cause sleepless nights it is Network Manager. In addition to worrying about hackers from outside while safeguarding confidential data on the inside, they also are responsible for designing and maintaining 99.99%+ reliability and consistent accessibility for authorized users.
While there are many specialized threats to networks today, there are also a wide variety of specialized tools to help mitigate those threats.
That is the good news.
However, if you are the network engineer responsible for keeping all these software intensive tools working, every new tool presents an interesting contradiction. For every security tool you add to the network, you introduce an additional failure point. This is particularly worrisome if your tools are active appliances that are installed in-line. An in-line appliance is an active component in the network link. Therefore, if the appliance goes down, the link goes down. While more tools can provide better security they can also create more operational headaches.
How many specialized appliances can one introduce on a link without impacting availability and reliability? If these appliances are installed in-line there is a Christmas tree light effect where if light goes out the whole string goes dark. Further, these appliances are software intensive. There are rule updates and firmware updates that need to be managed; but remember, the link must be available at all times, at least during business hours. That leaves the 2:00am to 4:00am window for network maintenance. So, putting aside the sleep lost from security worries for now, let’s look at an idea to help network engineers get some winks at night by scheduling maintenance upgrades during the day:
In-line appliances can be attached to network links using TAPs. These are network access devices that permanently attach to a link at the end points, typically a router, switch or firewall.
The TAP has monitor ports that allow the security appliances to connect to the network without actually being inserted directly into the network. The data flows through the TAP to the appliance and back into the TAP to the other end of the network.
This allows the appliance to see the data real time and take real time action if necessary.
However, it is the TAP, not the appliance that is attached in-line. If the appliance goes down, the link can stay active.
With a little planning, this method of attaching appliances to links provides maximum flexibility when establishing maintenance windows for software/firmware upgrades and reboots.
For more information on in-line taps and to see how they can let you add security and reliability while providing more flexibility to your maintenance windows, please visit networkcritical.com
Whether you are sleepless in Seattle, awake in Albuquerque or an insomniac in Indianapolis, connecting in-line appliances through TAPs can help you sleep better at night.