The core switch transmits an average of 6 Gbps of sustained traffic, with peaks of up to 8 Gbps of bidirectional traffic, which is replicated and sent over links of 2-10 Gbps to the probe. Traffic volume drops substantially after normal business hours, but the probe is constantly monitoring the traffic that’s sent to it as well as categorizing the data and extracting certain metadata when an interesting observation is made. (The probe has been designed to process bidirectional peak traffic from the switch at speeds of 10 Gbps in each direction.)

In terms of personnel there are generally several professionals within a company who utilize this type of security system as part of their daily responsibilities. A network security officer has administrative rights for the system itself; he or she manages the hardware elements, probes and servers and allocates access rights to three analysts who utilize the system for ongoing research and investigations. The security officer constrains the amount of access for the analysts by specifying the queries they’re allowed to run, ensuring that they don’t view information outside of their scope of investigation or responsibility.

In order to maintain security and separation, all elements of the system—probes, servers, analyst workstations—reside on a secured management network, and all administrative access to any element, including system management and query execution, occurs on a secured browser interface. The management network is also used to perform logging functions and generate real-time alerts.

The value of the approach

The installation of this type of solution for VPN security helps businesses achieve several important objectives, including:

• installation of the entire system with no scheduled downtime or service interruption;
• identification of compromised hosts that are infected with different types of malicious code;
• creation and execution of an incident response plan;
• improved visibility into violations of network usage policy;
• updating of corporate security policies that provide better protection for intellectual property and personal information.

Although they offer logical methods for facilitating remote networking, VPNs expose companies to opportunities for attack and serve as gateways for malware and APTs. A sensor-based, near-real-time forensics technology that identifies malware threats ahead of perimeter solutions is a highly potent formula for identifying—and preventing—devastating damage and critical data theft.