The GigaSMART applications in the GigaSECURE® Security Delivery Platform provide the ability to act on traffic streams and perform a series of functions that serve to offload and optimize a variety of security solutions.
The three GigaSMART applications in the GigaSECURE Security Delivery Platform are NetFlow Generation, SSL Decryption, and Application Session Filtering (ASF).
NetFlow generates detailed flow and session intelligence based on actual traffic, not just a sample of traffic.
IPFIX is a powerful standards-based technology that is gaining momentum in the network security space for forensics, trend analysis, and anomaly detection. IPFIX looks at raw network packets and derives sophisticated flow-based metadata such as records of conversations between endpoints, duration of conversations, and channels of communications.
GigaSECURE centralizes the function of generating these flow records so that this can be done consistently across heterogeneous and disparate infrastructure. The flow records can be served up to a variety of security solutions that analyze flow metadata. The flow metadata generation is done at very high throughput so as to generate high-fidelity records that are essential for good security analytics.
The solution also enables custom templates to be defined so that the information that can be gleaned from the traffic can be highly tailored to the specific deployment environment.
The GigaSECURE Security Delivery Platform with NetFlow Generation:
|provides unsampled NetFlow/IPFIX record generation to detect “low-and-slow” attacks
|filters records based on configurable parameters to predetermined tools
|offloads NetFlow/IPFIX record generation from the overloaded network infrastructure
|enables end-to-end security enforcement with visibility into every flow
|provides advanced information elements
NetFlow Generation is described in this document. Refer to GigaSMART NetFlow Generation for details.
Application Session Filtering (ASF) with or without buffering provides the ability to deliver just the relevant traffic streams to the specific types of security tools. For example, an email security solution need not see YouTube traffic. Sending only relevant traffic allows the security solutions to function more effectively and waste less bandwidth and resources processing irrelevant information.
Many security solutions do not need to look at entire flows that are either trusted or that they have no ability to process. ASF provides the ability to look deep into the packet at the application layer, identify application flows based on patterns within the packets, and steer entire sessions to a specific security solution (for example, all packets belonging to a session, even if subsequent or preceding packets for that session do not match the pattern) or to discard the entire session.
This powerful capability allows precise control of the types of traffic data that are sent to security tools based on Layer 4 to Layer 7 and more sophisticated content matching, thereby ensuring that security solutions are focused on working off network traffic that is most relevant to them while simultaneously offloading those tools from having to process large volumes of irrelevant data.
Application Session Filtering is described in this document. Refer to GigaSMART Application Session Filtering (ASF) and Buffer ASF for details.
Also refer to the Application Session Filtering Cook Book.
There are two SSL Decryption applications as follows:
|Passive SSL Decryption
|Inline SSL Decryption
SSL decryption for out-of-band tools provides a solution to decrypt encrypted communications so that security tools can detect malware that leverages encrypted communication channels and ensures that sensitive information is not compromised.
As the volume of malware that leverages encrypted communication channels increases, the need to peek into those encrypted channels of communication increases. Decrypting those encrypted channels of communication is best done within the GigaSECURE Security Delivery Platform so that this is done once, at very high performance thereby eliminating this blind spot simultaneously for multiple security tools that do not have the ability to deal with encrypted communications. For those security tools that have the ability to do this, it offloads a computationally intensive task from being repetitively done in each security tool.
Passive SSL decryption delivers decrypted traffic to out-of-band tools that can then detect threats entering the network. When a threat is detected, the tools can send a notification.
Passive SSL decryption is described in this document. Refer to GigaSMART Passive SSL Decryption for details.
SSL decryption for inline tools provides visibility into encrypted traffic. Inline SSL decryption delivers decrypted packets to tools that can be placed inline or out-of-band. The tools look into decrypted packets for threats, such as viruses or other malware.
The amount of Internet traffic that is encrypted is increasing, and much of it is encrypted with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
Malware increasingly uses encrypted SSL traffic, thus a significant percentage of attacks hide in SSL. Inline SSL decryption delivers a complete view of encrypted applications and hidden threats in your organization.
Many applications, such as email, also use SSL. Encryption protects data from being viewed in transit over the Internet such as in an exchange of emails. Encryption also keeps the data private. But when data is encrypted, packets are not inspected, which can create blind spots in your network.
Providing visibility into encrypted traffic eliminates this blind spot. SSL/TLS blind spots in your network can be eliminated across any port or application, for example, port 443, or email, Web, or VoIP applications.
Inline SSL decryption inspects SSL encrypted traffic inline. The advantage of this solution is that when SSL decryption is inline, tools can act when a threat is detected.
Inline SSL decryption is described in Inline SSL Decryption.