How to Optimise your SIEM Syslog Environment

How do you create a secure, resilient, effective, compliant and cost efficient syslog event management infrastructure?

If you are asking yourself this question, its likely that by this stage you have invested in a market leading SIEM platform such as Splunk, QRadar, LogRhythm, Elastic or any other of the market leaders – maybe you have adopted a multi-tier approach and have more than one of the listed.

It’s not uncommon to have hundreds of thousands of events per second flowing across enterprise networks and given that the majority are sent via UDP and hence connectionless, it’s possible that in times of peak network capacity that some events are simply lost. Other considerations to bear in mind are things such as security, compliance and volume base license costs. We will highlight some use cases in this post to show ways in which you can address these considerations, creating an efficient, secure, GDPR compliant and cost effective syslog environment.

Challenge#1: Platform Agnostic Log Management

Challenges:

Variety of sources & schema, multiple destinations, delivery guarantee, fault tolerance

End Goals:

Unified collection, real-time transformation, secure transit, buffering/caching

 

 

 

Here, Syslog-ng relays and PE have been deployed to deliver syslog messages using RLTS protocol which guarantees log delivery at different locations, should a log be dropped it is resent until it is acknowledged and forwarded. PE also uses TLS to secure the delivery, meaning that sensitive information cannot be accessed by third parties. Syslog-ng also caches and buffers on the local disk should the network or device connection become unavailable. Now multiple teams can retrieve logs for their specific use cases in a standardised, efficient and secure manner.

Challenge #2: Long-Term Storage & Search

Challenges:

Usage based licensing costs, storage costs, varying retention requirements

End Goals:

Implement long-term storage layer, automated retention policies, automated archiving, indexed and compressed

syslog ng long term storage

In this case, relays have been used in conjunction with the Syslog Store Box (SSB). Policies have been created to index the events at the SSB and send to SAN for lower cost storage. Also, content such as human readable content has been stripped and the logs re-written to further drive efficiency and reduce SIEM license costs along with de-duplication. Logs are indexed and compresses resulting in faster searching in archives. Policies created to create differing retention policies as required.

Challenge #3: Advanced Routing / Filtering

Challenges:

Varying events-per-second EPS, usage based licensing, usage based planning, cost implications

End Goals:

Filter out irrelevant data, asset based planning, cost effective retention

syslog ng product filtering

Here, relays and PE have been used in conjunction with advanced filtering techniques and directional forwarding that have drastically reduced the volume of messages hitting the SIEM and compliance platforms. Syslog-ng can be deployed as an agent on a wide number of hosts and flexibly route content to multiple destinations without the need to deploy multiple agents on devices. Duplicates and unnecessary content has been stripped and discarded.

Challenge #4: Compliance, Even Without a SIEM

Challenges:

unsorted, mixed content, too noisy for correlation, mixed compliance models, unfiltered data exposed

End Goals:

Logically separate content, data can be filtered further, different archiving policies, repository access controls, user specific log ‘views’

syslog ng store box routing

Using the SSB, log data is stored in encypted, compressed and time stamped binary files with access restricted to authorized personnel only. Authentication, authorisation and accounting settings provide granular control based on user privileges. Can also be integrated with LDAP and Radius database. Ability to store up to 10TB of uncompressed data in the largest SSB. PE also ensures that messages cannot be accessed by third parties by using TLS to encrypt the communication between agents and syslog-ng store box. Filtering and routing rules send data to correct platforms.

Challenge #5: Reliable Log Infrastructure

Challenges:

Critical event, logs never sent, connection saturation, single point of failure, data open to inspection

Solution:

Relays as a local staging post, consolidate cache & buffer, alternate destinations, RLTP: received and understood, encryption & timestamping

syslog ng encrpted syslog architecture

A combination of Syslog-ng Agents, relays and SSB have been used to create TLS encrypted messages sent through the network securely. RLTP has been used to guarantee log delivery using received and understood methodology. Logs stored in encrypted state on the SSB, indexed and timestamped and sent to SAN and SIEM for processing.

Thanks & credit to the team @ BALABIT & OneIdentity for assistance with content.

If you would like to discuss how these solutions can transform your syslog architecture, help you to meet GDPR compliance regulations and save you substantially on your license costs please get in touch.

Understanding Passive and Active Security Architectures

What is the difference, and how can both approaches be used to create a next generation security posture?

The evolution of network security

Cast your mind back, when the Millennium Bug was destined to drop planes from the skies, traffic lights were mysteriously going to cease to operate and cars would run in to each other like a scene in a post-apocalyptic horror movie. This was about the same time that the majority of internet related breaches were stopped by routers with ACL’s, firewalls and good antivirus software. 

Then came some smart tools that were fed from SPAN/Mirror ports and looked for matching signatures and rules that were deemed to be threatening and triggered alarms for investigation/remediation. 

Passive Security

This is what is known as Passive Security. Passive Security is where tools receive a copy of network data and can either use this to store, or alert when a potential breach or anomaly occurs on the network. Passive security as also moved on from having tools installed on SPAN or MIRROR ports, to the use of

Network TAPS and Network Packet Brokers

Network Test Access Ports (TAPs) enable a copy of network data to be directed to your tools without risk of dropping packets, or over-subscription of your SPAN port (think of trying to run 80% utilised FDx link out through a HDx Span port!) Packet Brokers are also a part of the visibility fabric of the network, they are usually deployed in conjunction with TAPs or from SPAN ports and allow additional features including aggregation, regeneration, de-duplication, media conversion, filtering etc.

Ixia Passive Security Packet Broker

Deploying Packet Brokers with Passive Tools

Packet Brokers have been such an important phase in the evolution of network security monitoring. They have not only helped to drastically reduce the cost of deploying passive tools, they also create the ability to replicate data to many tools, alleviating SPAN contention issues, enable you to aggregate feeds in to fewer tools, take the load off analysis tools by providing packet de-duplication and filtering.

The move to inline security architecture..

No sooner were enterprises comfortable with the results of their forensic and IDS systems, then naturally the desire to block threats came and to stop sensitive documents from being leaked outside of the organisation, or stolen. With these tools needing to be a integral part of the data flow, they now had to be deployed inline to be able to do their job. 

The use of inline tools is common place in enterprise networks, as we need to protect against a wide variety of attacks and data leakage originating from both internal and external sources.

Multiple Inline Tools

Challenges and considerations of deploying inline security

Once you start to consider deploying inline tools, then there are many things you must consider as these tools now become a ‘bump in the wire’ and are critical to the flow of data through your network:

  • How do I carry out maintenance on the tool (s)?
  • How will the network behave if one or more of the tools fail, either individually or at the same time?
  • Is the tool getting overloaded with traffic that it doesn’t need to see?
  • How do I protect against asymmetrically routed traffic?
These challenges are easily overcome with the use of Ixia Network Packet Brokers and Ixia Bypass TAPS, as well as providing you with a much more resilient inline security infrastructure and improved security posture. We can also deploy these in high availability configuration to retain network resilience.
Ixia Bypass Resiliance

This diagram shows how using Ixia’s Bypass solutions combined with Packet Brokers you can take inline tools, and deploy strategically and safely, by taking them away from the critical fault domain whilst retaining their ability to protect and stop attacks just as they were deployed to. Please view this video to understand how Bypass solutions should be deployed:

 

Out of Band vs Inline / Active Packet Brokering

Out of Band Packet Brokering

  • Traffic Sources; Network Taps, SPAN/Mirror Ports
  • One Direction
    Once sent to the tool it is forgotten about.
  • Traffic can be Filtered, Aggregated, Load Balanced, etc….
  • Advanced Features, such as AppStack & PacketStack, can help groom packets before being sent to tools.
  • Limited selection of SSL/TLS Ciphers can be decrypted.

Inline / Active Packet Brokering

  • Traffic Source ; Bypass Taps – Sits directly inline in traffic path
  • Bi-Directional
    Traffic is returned to the network or blocked following inspection by the tools.
  • Traffic can be Filtered, Aggregated, Load Balanced, etc….
  • Limited use case for Advanced Features. You don’t want to change live network traffic.
  • Most SSL/TLS Ciphers can be decrypted and then re-encrypted post inspection.

More information on Ixia’s range of  solutions and a link to some on our online shop can be found here

Ixia Taps & Packet Brokers

Or via Ixia’s site here:

https://www.ixiacom.com/solutions/network-security

Iris Networks carry the complete range of solutions for Ixia, should you wish to discuss your requirements in more detail please call us on 01925 357770 or email sales@irisnetworks.co.uk

Thankyou to Ixia for use of content for purposes of this blog.

Using AirCheck G2 to Maintain Great Wi-Fi

Without doubt, one of the best tools on the market for maintaining great Wi-Fi is the NetAlly AirCheck G2 Wireless Tester. Its ease of use, portability, reliability, depth of visibility and cetralised reporting capability have made it a worldwide success and staple part of the engineer’s toolkit. The purpose of this post was to highlight a few examples of how to use the tool to address some of the most common considerations, and of course issues, presented by Wi-Fi. Firstly, lets take a look at the tool itself:

netscout aircheck g2 hardware

On the AirCheck G2 we have a large clear and responsive touch screen, a mounting point for an external uni-directional antenna, a 1Gbps Ethernet port for testing backhaul connectivity and PoE and a couple of USB slots for attaching devices, memory sticks etc.

For the purpose of completeness of visibility we will assume use of the NetAlly AirCheck G2 TA Kit which includes a few additional handy extras including the external antenna and holster but a clue in the ‘TA’ part of the name, the Test Accessory. This is a small footprint device, which is used to remotely connect to the AirCheck and provide iPerf testing – to get network throughput performance statistics. Here is what is in this ‘TA Kit’:

 

Verify The Network Deployment

Using the AirCheck G2 we can check the ability to establish a connection to the network and access core services such as DHCP and DNS, can it resolve a web address, and how long did this all take. From this simple workflow, you can ensure that everything from a connectivity perspective is as expected:

aircheck connection test

Verify Network Performance

Using the AirCheck G2 paired with the Test Accessory, we can now validate performance to a remote device. Here’s how:

  1. Connect to a network
  2. Select iPerf Test
  3.  Select iPerf Server or Test Accessory to test against
  4.  Click ‘Start’ to begin your test

This now gives us an indication that the network is available, we can connect and gives an indication of its performance.

Auto-Test Feature

Auto Test is a really handy, user configurable set of tests that can be run with a single touch to validate network health with a ‘Pass or Fail’ indication. Using this feature, the AirCheck G2 is testing the following 5 elements:

  • 802.11 Utilisation : Reports top 3 channels in each band (2.4/5ghz) with highest Wifi traffic utilisation.
  • Non-802.11 Utilisation : Reports top 3 channels in each band (2.4/5ghz) with highest non 802.11 airtime utilisation. This indicates the presence of interference sources and high noise.
  • Co-Channel Interference : Reports the top 3 channels in each band (2.4/5ghz) with the most AP’s on the same channel that exceed the minimum signal level threshold.
  • Adjacent Channel Interference : Reports the top 3 channels in 2.4ghz band in which AP’s might experience adjacent channel interference. For each channel of which at least one AP is found, the feature counts how many access points are operating on other channels that are overlapping with that channel.
  • Network Quality : Verifies coverage, interference, security and ability to connect to specified networks, along with the availability of critical services such as DHCP and specified network targets.

 

aircheck G2 autotest

Non-802.11 Interference

Using the onboard Wi-Fi radio of the AirCheck G2, we can sense and classify (when possible) sources of interference that are having a detrimental impact to network performance. Sources which are identified are as follows:

  • AirHORN
  • Baby Monitor
  • BlueTooth
  • Canopy
  • Cordless Phone
  • Game Controller
  • Microwave
  • Motion Detector
  • Narrowband Jammer
  • Radar
  • Video Monitor
  • Wireless Bridge (non-802.11)
  • Wireless Mouse
  • Wireless Video Camera
  • ZigBee
  • + Possible Interferer and Unclassified Interferer

 

 By getting close to the area in question and running this test you can quickly see if there is anything that could be causing a problem, how strong the interference source is, on what band, what channels are impacted, how often and for how long. From here you can even locate the source and either isolate it, or in some cases engineer the network around around it so that it no longer poses a problem.

Optimising the Network Using the AirCheck G2

The ‘Channels’ screen on the AirCheck G2 gives an excellent insight in to channel configuration, channel utilisation and also non-wifi channel utilisation across 2.4 & 5ghz bands. Using this screen, we can see the entire Wi-Fi spectrum at a glance and also view how the channels are overlapping

aircheck channels screen
Aircheck channel overlap screen

When optimising the channel domain, some considerations are:

  • Are there too many APs on a channel?
  • Are there AP’s on overlapping channels in the 2.4ghz band (2, 3, 4, 5, 7, 8, 9, 10)
  • Is 802.11 airtime utilisation too high?
  • Is Non-802.11 airtime utilisation too high?
Take a look at the clients on the channel, are there too many? If so, think about removing unauthorised devices or employing techniques such as band steering or client load balancing.

View the Iris Networks NetAlly AirCheck G2 product page HERE

View NetAlly’s AirCheck G2 product page HERE

Download the datasheet HERE

Anomaly Detection in Universities

Flowmon Networks & Iris Networks invite you to an educational webinar on Anomaly Detection in Universities.


We have been helping Universities who want to gain better visibility of their network and understand what is happening inside the network, Flowmon proactively searches inside the network for anomalies otherwise undetected by standard security approach.

 

Flowmon Networks empowers Universities to manage and secure their computer networks confidently. Through our high-performance network monitoring technology and lean-forward behaviour analytics, IT professionals worldwide benefit from absolute network traffic visibility to enhance network & application performance and deal with modern cyber threats. Understand how we can help make your network traffic more visible & secure.


Join us and Flowmon on Tuesday 30th October at 2pm

 

Stonecalibre Acquires NETSCOUT HNT Business

Netscout tools overview

18-09-2018

Stonecalibre announces that as of 14th September 2018 it has completed the divestiture of the Handheld Network Test (HNT) tools business from NETSCOUT SYSTEMS INC. Read more about it here : https://www.stonecalibre.com/news/latest-acquisition

Or Here: https://ir.netscout.com/investors/press-releases/press-release-details/2018/NETSCOUT-Divests-Handheld-Network-Test-Business/default.aspx

Iris Networks Execute Partner Agreement with Flowmon

Flowmon link moniotring

Iris Networks are pleased to formally announce our partnership with Flowmon.

Flowmon’s unique Netflow/IPFIX network and application behavioural analysis platform, combined with its ability to apply artificial intelligence and machine learning to detect anomalous application activity and DDoS protection are what we believe makes Flowmon such a compelling offering to enterprises of all scale.

We will be updating our pages with details of forthcoming product webinars soon, so keep an eye on our pages or contact your account manager to register.

Click here to view the product pages: FLOWMON

flowmon architecture description

Save 20% with our NETSCOUT AirCheck G2 and LinkRunner G2 Combo

Netscout LinkRunner G2 AirCheck G2 Combo Banner

For a limited time, you can receive 20% discount off our wired and wireless test kit from NETSCOUT. Including the AirCheck G2 and LinkRunner G2, this combo enables engineers to test and validate connectivity and performance on wired and wifi networks.

Still need convincing? No problem, drop us a line and test drive the equipment at your leisure!

Details available here:

LinkRunner G2

AirCheck G2

Iris Networks joins Mist Systems’ Reseller Partner Program to bring industry’s first AI-driven Wireless LAN to the UK

Iris Networks Mist Partner Reseller UKIris Networks Mist Partner Reseller UK

 

Iris Networks, a leading UK networking VAR, has announced today that it has become a Gold level partner in the Mist Reseller Partner Program. By reselling the world’s first AI-driven WLAN, Iris is revolutionising how organisations deploy, operate and manage wireless networks, and enabling mobile users to take advantage of Wi-Fi automation and enhanced location-based experiences using virtual Bluetooth LE.

As a Gold Partner of Mist Systems, Iris Networks is now able to build on its stable of market leading technologies and provide its existing and future customers with this ground breaking wireless solution. Iris Networks can now deliver a true value-added service with customer benefiting from AI driven wireless that helps service delivery teams to maintain their SLA’s, customer experience teams to promote engagement and businesses to be more flexible, agile and efficient.

Commenting on the partnership, Anthony Barrow, Managing Director, Iris Networks said, “Over time wireless networking has evolved from a point product to address a certain constraint be it a lack of cabling in a certain area, lack of budget, or an interim flexibility requirement and now is quickly becoming the ‘first’ choice for network connectivity in ‘wireless first’ initiatives. This has resulted in numerous challenges such as integration with existing equipment, network visibility, concerns around security both external and internal, maintaining service level experience expectations across multi-site distributed networks with centralised skills. Our partnership with Mist Systems means that we now have all of this covered and are now able to provide a truly next generation wireless platform that addresses all of these demands. We are excited about our future with Mist Systems and are proud to be a part of their extended team.”

“We are thrilled to be working with leading partners like Iris to bring AI-driven networking to the UK market,” said Mike Anderson, Vice President of Channel sales at Mist. “By automating operations and giving unprecedented visibility into the user experience, the Mist platform aligns perfectly with Iris’ vision of bringing next generation networking solutions to market.”

Service Assurance for Cloud Services

Challenges

As many as 85 percent of corporate enterprises have a multi-cloud strategy and up to 95 percent of enterprises are running applications or experimenting with infrastructure-as-a-services, according to Rightscale’s 2017 State of the Cloud Survey and report. Many enterprises are migrating to cloud-based services for more agility, retirement of legacy systems, capital cost savings, and as a way to deliver powerful solutions for their businesses and customers.

The increased dependence on hybrid cloud technologies and the risk that these initiatives may slow down or end up failing is an obvious concern. Rapid resolution of problems impacting services running through the cloud is a high priority for any enterprise or government agency. The large, complex, hybrid IT systems, consisting of legacy, private cloud and public cloud infrastructure, present significant challenges for IT teams tasked with discovering the root cause of a slowdown or degradation.

Specific challenges include:
• Lack of wire-data service assurance solutions that work in public cloud environments.

• Inefficiencies with backhauling copies of packets from the public cloud to on-premises tools that consume excessive network resources and may be cost prohibitive.

• Business concerns related to moving services to the public cloud due to fear of extended performance degradations, outages and costly mistakes in cloud resource allocation exacerbated by the gap in protection of wire data service assurance analysis.

• Hurdles in gaining visibility to the wire-data in virtualised environments.

As a NETSCOUT Paltinum Partner, Iris Networks provide a visionary and committed solution, who through our experience and resource, we can dramatically accelerate these migrations and technology initiatives to help maintain business continuity and leadership.

The NETSCOUT Approach

Extending your service assurance methodologies and workflows into your cloud environment is easy and predictable with NETSCOUT, your trusted and committed partner for Cloud Migration and server farm application assurance. NETSCOUT’s approach to service assurance is built on a foundation of Smart Data and Superior Analytics. Based on wire traffic, using NETSCOUT’s patented Adaptive Service Intelligence (ASI) technology, provides the most robust data source available to monitor and analyze service delivery of applications throughout the modern IT landscape. NETSCOUT’s newly introduced Software application vScout, provides for the seamless extension of your nGenius architecture into your Cloud environment, and at new lower cost of ownership enhancing and ensuring the success of your cloud migration initiatives.

Our Solution

The nGeniusONE Service Assurance platform provides unrivaled visibility into IP-based business services, along with contextual workflows to speed problem resolution, making the solution both easy for a Level 1 responder to use and powerful for an expert to operate. Rather than looking at individual elements in isolation, nGeniusONE provides an overarching view into the performance characteristics of the components, micro services, and / or containers associated with service delivery of applications. In conjunction with NETSCOUT’s proven nGeniusONE platform, vScout and vStream software makes all of this possible by extending the power of wire data and ASI directly into the heart of an enterprise’s mission critical applications, whether they are on-premises or off-premises; on bare metal, in a private cloud or in a public cloud. This view exposes underlying service dependencies that help IT teams to more effectively manage health, availability, and user experience issues.

Only NETSCOUT extends the power of wire data and ASI directly into the heart of an enterprise’s mission critical applications – on- or off-premises; on bare metal, in private or public cloud.

Only NETSCOUT’s nGeniusONE with vScout and vStream empowers enterprises to confidently migrate applications and services to both public and private clouds. Leveraging wire data, vScout and vStream create Smart Data by using ASI to analyze the rich information available from the flows of application traffic. This makes vScout ideal for monitoring hybrid cloud deployments and for managing the migration of applications into the public cloud.

Netscout Service Assurance Cloud

Delivering Value to Enterprises Migrating to and Using the Cloud

IT must support the hybrid environment of public and private cloud with the legacy environment to deliver services. NETSCOUT’s Service Assurance solutions help enterprises ensure successful rollouts and ongoing service performance for Public Cloud, Private Cloud and Legacy Infrastructure. NetOps and AppOps alike can collaboratively use ASI-based wire data to provide a complete view of application flows for service triage, proactive monitoring and deployment readiness before, during and after migrating to the cloud. This offers significant benefits enabling enterprises to:

• Meet business objectives and migrate to the cloud with confidence, using smart data and analytics from nGeniusONE, vScout and vStream

• Solve problems rapidly and economically with complete visibility into East-West as well as North-South traffic by using vScout to monitor packets flowing into and out of the application servers, including those in a micro-services architecture application

• Extend the value of the nGeniusONE Service Assurance solution with vStream, a platform for extending the many ways that wire data can be used

Reduce MTTR with true visibility into the health of application components, their interdependencies and interactions with the broader IT infrastructure

• Achieve comprehensive coverage of application services and vulnerabilities, on- or off-premises; on bare metal, in private or public cloud, today and into the future

 

Contact us to learn more about how we can hep you with maximising your performance in the cloud!