Ok, maybe it’s not a marriage but more along the lines of living together.
In a previous article, I spoke about moving to a Continuous Monitoring security model, which focuses on monitoring outbound traffic.
As we move to completing our monitoring infrastructure, I’ve been pleased with the results so far and excited by the challenges discovered by the process. One of the things that surprised me was how Continuous Monitoring is forcing a cultural change between the Security Office and the Network Management group.
It all comes down to sharing data which depending on your institutional culture can be either challenging or really challenging.
Here are 2 things that significantly impacted progress in our project:
- Network backbone line speeds can significantly impact your inline packet capture and monitoring techniques. If you network group upgrades your backbone speeds to 100Gb, there aren’t a lot of IDS/IPS network interfaces that can operate at those speeds. A network upgrade can blind your sensors inadvertently.
- New network management tools can blind your deep packet inspection tools. Specifically, MPLS ( Multi Protocol Label Switching) breaks traditional packet capture tools. How? MPLS encapsulates traditional IP packets which basically assigns a packet a distinct label. It makes perfect network management sense to use MPLS to manage a large, complex network. It complicates IDS/IPS packet monitoring because most of these devices currently don’t know how to decode an MPLS encapsulated packet. For example, if you are using Gigamon network switches, you’ll need to buy a special line interface card that strips off the MPLS header. This is not a cheap feature.
Wireless network infrastructure logs are quite frankly, huge. Identifying who’s on a wireless network requires careful planning and collaboration with the network management who traditionally collects the required logs.
IT Security Offices need to establish good working relationships with their organization’s network management groups. Network management groups need to be aware that traditional network upgrades can significantly impact a security office’s intrusion detection initiatives. Some of these impacts can add significant dollars to a security project.