Frequently Asked Questions About IDSB
- Why is network monitoring essential?
- What does IDSB do?
- Is IDSB cost effective
- How does streamlined deployment improve security?
- Why is aggregating and filtering traffic for multiple sensor types important?
- How does IDSB’s “intelligent load balancing” differ from other balancing solutions that deal with multiple sensor environments?
- What types of network monitoring tools does IDSB work with?
- Asymmetric routing is problematic. How does IDSB deal with this?
- What about high availability?
- What ROI can I expect?
Monitoring is required to protect against a of myriad network-based attacks that threaten to steal sensitive information and/or disrupt the business. Monitoring is also essential to ensure network uptime and employee, partner and customer access to business applications. Enterprises also use network monitoring for capacity planning to anticipate and prepare for growing traffic demands and improving end-user SLAs. Network monitoring for all these purposes has become more difficult and intricate with the increased diversity and complexity of application traffic and the growing use of performance-sensitive applications, such as VoIP and video.
Corero’s Intelligence Distribution Balancer aggregates network traffic from multiple segments or VLANS, replicates and filters it, and sends copies to one or more groups of network monitoring devices, often different types of monitoring devices performing various security and operational functions. The IDS Balancer provides a cost-effective solution by aggregating multiple network segments, providing for redundancy, and scalable growth, as future traffic loads increase.
Deploying security and traffic monitoring and analysis sensors on each network segment is costly and inefficient. Indeed, such deployments may be cost-prohibitive in large, complex enterprise network environments.
Customers have reported significant cost savings, in some cases 80%, by streamlining the deployment of their various network monitoring tools with Corero's IDSB appliances. Aggregating the traffic from multiple network segments provides immediate savings, since fewer sensors are required to examine the traffic. For example, if you want to monitor six GigE segments you can use six GigEsensors, or use one “aggregation device” IDSB and one GigE sensor. In this simple example, IDSB Corero’s family of high-performance ASIC based IDSB appliances provide the same coverage as multiple sensors and huge savings by offering aggregation for both Fast Ethernet and GigE networks,
The cost of deploying multiple sensors on each network segment is often cost-prohibitive, forcing organizations to settle for limited deployments on selected segments. This significantly increases risk from cyber attacks, which result in costly data breaches (Ponemon Institute pegs the average cost of a single data breach at $7.2 million!) and/or network disruptions from distributed denial-of-service (DDoS) attacks that can bring business to a halt. Inefficient monitoring can result in failure to anticipate, detect and swiftly react to network problems which can impact performance and, in turn, the business.
It is very common for enterprises to use different types of sensors, each one optimized for different types of traffic and different purposes. Corero’s IDSB can filter the traffic by IP address and/or the type of application, thus enabling the sensors to be optimized. In addition, the IDS can create “carbon copies” of either the whole or portion of the traffic, which can be delivered to different sensor groups. This functionality is very useful for delivering the same traffic to different types of sensors.
How does IDSB's "intelligent load balancing" differ from other balancing solutions that deal with multiple sensor environments?
Some balancing devices use “packet” based technology, balancing the traffic by looking at each packet and distributing the traffic to the various sensors. The problem with this approach is that you might end up with part of a flow going to one sensor, and the rest going to a different one. Since most sensors monitor traffic by looking at the whole flow, this will cause the sensor to malfunction and produce erratic results. The Corero IDSB is a stateful flow-based device, which load balances the traffic based on the flows (conversations between hosts on a network). The relationship between a packet and a flow as it relates to the communication between two systems, can be compared to the conversation between two people. A packet represents a word or phrase in the conversation, whereas a flow represents the whole conversation.
IDSB has a very wide range of network monitoring use cases. Among these are network analyzers, network IDSes, VoIP recorders, forensics, content inspection engines (such as DLP), Rmon probes, network detection systems and more.
VoIP recording is a good example. Companies record huge volumes of digital calls for quality assurance, legal protection, compliance, etc. The problem is that VoIP recorders have a limit on how many “calls” they can record at a time due to processing speed, disk speed, and network speed of the computers on which the VoIP-based recording software runs. IDSB “listens” to all the VoIP-based phone call setups, and then distributes copies the VoIP call traffic, on a call-by-call basis to a group of VoIP recorders. Among transparent load balancers, only IDSB has this level of call-by-call granularity.
Placement of monitoring sensors creates a challenging problem in networks with asymmetric routes. To be effective, a sensor needs to see the entire data flow between any two end points. When traffic enters via one route and leaves via another, the sensor will only see half of the communication. As a result, a serious attack may go undetected or protocol anomalies may be falsely reported.
IDSB eliminates the challenge of deploying monitoring sensors in asymmetric networks, providing complete network coverage. IDSB uses Flow Mirror™ patented technology to match entire flows before passing the traffic to the sensor. This is an imperative feature when monitoring 100% of the network traffic is mandated by law or governance.
With a typical monitoring deployment, each sensor is installed singly, monitoring a separate portion of the network. When a sensor fails, attacks or intrusions on the portion of the network monitored by that sensor are missed. Corero’s IDSB distributes traffic across a group of sensors. If one monitoring sensor in the group fails, the remaining sensors pick up the load without impacting the monitoring operation
There are several ways that you can realize tangible and rapid return on investment capitalizing on the benefits of using an IDSB deployment, including:
- Reducing your capital, maintenance and operations expenditure for all types of network monitoring solutions.
- Simplifying the management of your monitoring solutions.
- Enabling simultaneous monitoring for different applications, such as security and network troubleshooting.
- Scaling your monitoring solutions, and enabling the sensors to sustain the volume of traffic to be monitored.
- Add N+1 redundancy for your monitoring sensors.
“This is a great product! ....does exactly what it is supposed to do, and is very easy to use. I had it up and running the way I wanted within 30 minutes. Computing support staff can now spend more time doing the things they are supposed to be doing instead of cleaning up hacked systems. ”
UCI Network and Academic Computing Services Team