Network monitoring can be described in many ways, but very often it is defined in the following way: ‘Network management is the process of configuring, monitoring and maintaining a reliable network ensuring connectivity between devices and the people or software applications.’ Several frameworks have been developed around network monitoring, for example, FCAPS (Fault, Configuration, Accounting, Performance, and Security) by TMN. While this definition focuses on functions, TeleManagement Forum’s (TMF) Business Process Framework called eTOM has more focus on business and processes. In the TMF model, the overlaying strategy spans from lifecycle management to operations readiness and support to fulfillment, assurance, and billing.
Security monitoring in a summary is the automated process of collecting and analyzing indicators of potential security threats, and triaging these threats with the appropriate action.
This blog is focusing on the functionality comparison of network and security management. The frameworks aside, the Network and security operations teams have an ever-increasing amount of work and responsibility in taking care of the overall health, performance, and security of a business’ infrastructure as technologies evolve, complexity increases, and enterprise networks continue to grow.
At first glance network and security operations may look similar or at least partially overlapping, but these functions and tools serve different (and essential) purposes within an organization.
Network Monitoring
Network monitoring looks at analyzing and tracking the health of an organization’s network. Network monitoring detects problems caused by malfunctioning devices, servers, overloaded resources, firewalls, and Virtual Machines (VMs), to name a few. The tools available for cloud-native environments differ in some ways and are worth another blog entirely.
Network operations teams need to understand network topology, configurations, performance, and security. Small enterprises can sometimes get by with cloud-hosted infrastructure and monitoring, without the need to fully comprehend the underlying technology. However, an organization’s infrastructure consists of numerous elements, such as hybrid cloud and even bare metal infrastructure, that frequently span over multiple locations and utilize a variety of technologies making network monitoring more important and complex than ever before.
Many network monitoring technologies enable end-to-end network and application visibility. Network monitoring is carried out by using a set of tools such as NMS/EMS, dedicated applications such as application monitoring, and diagnostic and troubleshooting tools. Proactive network monitoring is an essential component of network monitoring that helps in the early detection of performance issues to prevent network failures and downtime. This is typically achieved by using forecasting algorithms combining fault, performance, and configuration data feeding the data to the algorithms with the help of AI/ML these days.
The most common network monitoring protocol is the Simple Network Management Protocol (SNMP). In addition to SNMP, Syslog, flow-based monitoring, and packet analysis are used. ICMP is used especially for troubleshooting by analyzing error messages sent by network devices. The rise of threats, attacks, and ransomware has made the role of administration and security pivotal. Therefore, the CISOs have become an integral part of the organizations and are responsible for security and privacy matters at the highest company level.
Network Security Monitoring
Network Security Monitoring, especially XDR (Extended Detection and Response), is a security threat detection and incident response tool rather than just passive observation. SIEM can be a part of the process or it can be used as a tool to support both Network and Security monitoring.
While network monitoring collects data for the analysis of network and application health and overall system structure and integrity, network security monitoring analyses among others:
- Network signaling
- Network payload
- Used protocols
- Client-server communications
- Encrypted traffic sessions
- Traffic patterns and traffic flow
- Anomaly detection
- Network confidentiality, integrity, and availability (CIA triad)
Unlike traditional network monitoring, network security monitoring enables evidence-based decision-making by detecting intrusions, for example, zero-day vulnerabilities. The advent of modern continuous network monitoring and analysis technologies provides levels of detection and mitigation support that can significantly lower the likelihood of a successful attack or breach, however, at the same time attackers’ methods have gotten more sophisticated and the race continues.
Though the SNMP is useful for monitoring networks and planning future capacity, it doesn’t offer granular information, for example about signaling traffic. In an increasing number of cases, the only way to detect a sophisticated attack is to analyze the packets and traffic patterns. This approach results in high bandwidth utilization and requires high capacity and performance tools. Therefore, many tools either convert packets to PCAP files for analysis or use instead generated NetFlow, IPFIX, or similar types of flow metrics. There are also products in the market that further compress NetFlow/IPFIX to reduce the hardware requirements at the analytics end. The question is if detailed, granular data is required or if aggregated or compressed data is sufficient. This depends on the tool and use case, but often full security screening requires raw packet information.
NetFlow is created in the network element or by a device converting packets to NetFlow, cached, and stored, flows are then exported to the collector that receives and preprocesses the data. After a flow goes dormant or a preset time passes, the device exports the flow records to a flow collector. A flow analyzer further provides insights through visualization, statistics, and historical and real-time reporting. Collectors and analyzers are often bundled into a larger network monitoring system.
Why do Businesses need Network and Security Monitoring?
Network monitoring is vital in having visibility and control over the network, optimizing network performance and reliability, improving the bottom line, understanding current and future capacity, and finally ensuring corporate compliance. Automation has become one of the most important factors in network monitoring due to the increasing complexity and number of network elements. Manual actions are just too slow, error-prone, and require too much manpower.
Network monitoring, for example, focuses on understanding the composition, availability, status, behaviour, performance, and configuration of all the components within the infrastructure. It also actively tests the availability and accessibility of IP hosts to assess. Network monitoring as such is not designed for security management, thus a set of security management tools is needed either as an integrated tool or as separate, but connected applications.
Today security monitoring is part of a company’s compliance and regulatory requirements. Data breaches can be costly in many ways: ransom cost, fines, and compensations, bad publicity, lower brand value, and paused operations preventing business activities. Some of these can have a long-lasting impact on the company, also reducing its stock value.
Network security monitoring has the core objective of minimizing downtime by preventing attacks and preserving data to keep an organization operational. By combining attack and passive security monitoring and automating the processes as far as possible, organizations can protect themselves from network threats and identify attackers.
Together network and security monitoring provide comprehensive information, analysis, and reports:
- Enable both network operations and network security staff to collect, filter, and refine their investigations in order to identify problems
- Determine if the event is a normal network or malicious/disruptive activity
- Provide continuous, real-time, and reliable data gathering for extracting crucial information about the health and security posture of the network
- Deploy active testing tools to test vital network functions
- Allow automation and standardized trouble ticketing processes
Both TAPs and NPBs are fundamentally important in providing visibility to the network by providing a copy of packets traversing the network.
Cubro Network Packet Broker EX48200
- TAP is a stand-alone piece of hardware that mirrors packets by making an exact copy of the traffic ensuring that total visibility is provided across all of the network’s security and monitoring platforms.
- NPB optimizes the traffic between TAP and monitoring systems. Also known as Traffic Aggregator, an NPB improves the functionality of network analysis and security tools, and helps to optimize network security and the performance of monitoring and analysis tools by decapsulating tunneling protocols, and slicing packets if needed, aggregating, filtering, replicating, and load balancing.
- Advanced NPBs generate NetFlow/IPFIX, PCAP files for a given period of time and provide a basic security view.
While network monitoring can cope with information received from network elements, many other tools require packet information. This is where network visibility becomes essential since without tapping and NPBs the information from the network is not complete or even useful. NPBs play another important role in optimizing, reducing, and formatting the data for the monitoring tool, thus reducing the investment need.