Blogpost

Network supervision: what equipment choices are available to you?

Here's our perspective on one of our fundamental core values. Consider this piece as the foundational whiteboard that inspired the creation of NANO Corp, which we are excited to share with you!

Florian Thebault
December 13, 2022
Share
LinkedIn LogoX logo

In terms of supervision and IT protection, 4 families of solutions designed to guarantee the best quality of service are historically present on the market: Firewall, Network Intrusion Detection System (NIDS), Network Intrusion Prevention System (NIPS) and network monitoring tools. The first 3 are particularly security oriented while the last one allows to go beyond this simple framework to be part of issues such as the quality control of networks or billing.

The following overview presents 4 families of current solutions and opens the perspective of answers for the future.

Firewalls

By blocking unwanted inbound and outbound traffic, firewalls are intended to:

  • Prevent basic attacks;
  • Prevent network users from accessing certain sites;
  • Avoid the use of protocols whose ports are (usually) fixed.

Capable of handling large or even very large speeds (100 Gbps and more), firewalls are limited to simple processing rules. The latter are very often based on a simple correlation between the IP and the port, sometimes a REGEX (ie. regular expression) simple in the data (payload) is also taken into account. This simplicity explains their lack of precision.

Traditional firewalls do not make protocol classification. However, some may embed NIDS within them in order to propose the writing of more precise rules (e.g. instead of blocking the entire web feed, we will only block a particular site). Nevertheless, the flows then treated are significantly lower.

In summary, firewalls are able to take into account large speeds with a small footprint, but with very limited protection features. They are definitely not able to do much by today's standards.

Network Intrusion Detection System (NIDS)

Generally limited to speeds of the order of_ 10 Gbit/s_, this tool is intended to warn network managers of events of malicious origin. It is based on a more in-depth analysis of the contents of the packets than that of the firewall. It is generally able to decode and use the information conveyed by major protocols (HTTP for example).

Its alerts are based on more complex and advanced detection rules than those of a firewall (mostly SNORT rules). They can be very accurate when they rely on known protocol fields (Host field of the HTTP protocol for example). They can also be much more general and then very similar to those of a firewall. These specificities give the tool a flexibility and precision that the firewall does not have.

In summary, NIDS are able to warn network managers more accurately than a firewall, but are unable to block unwanted flow. Unlike firewalls, the rates supported by NIDS are greatly reduced.

Network Intrusion Prevention System (NIPS)

This tool is nothing more than a merger between a firewall and a NIDS. It therefore makes it possible to block traffic more precisely than a firewall. Despite these particularly interesting functional characteristics, NIPS does not solve the problem of low throughput supported by NIDS.

Monitoring tools

Monitoring tools allow monitoring, usually delayed, of the state of the network. These tools are available in two main families.

The first, called specialized, is made for the in-depth study of specific business protocols. It is limited to low speeds (1-10 Gbit/s) and is intended to provide a comprehensive view of certain parts of the network.

The second, more common, is made for a cursory study of the network by means of summary statistics on the sessions viewed (when you are lucky to get even that). It is usually integrated with network equipments (mainly routers) and supports higher speeds (up to 100 Gbps). But most are proprietary. Though it can, if necessary, make a brief sampling of the packets passing over the network (of the order of one packet out of 10,000) to give you a little bit more info.

In summary, monitoring tools are able, depending on their family, to provide a (barely) fine but partial view of the network or an overview but not very detailed.

A common engine: protocol analysis

The tools previously discussed all need to identify and extract information from communication protocols. There are different ways to approach this analysis: it can be succinct and fast like the one performed in firewalls or more accurate and slower like the one found in NIDS.

The brief analysis is based solely on the ports in order to “identify” the protocols, which implies many false detections. The in-depth analysis, on the other hand, dives into the heart of the packets in order to recognize the signatures of the protocols which theoretically offers a very good level of confidence.

In addition, this deep analysis involves many calculation operations which limits the supported throughput. In addition, to guarantee suitable flows, it deliberately closes its eyes to the increasing complexity of the networks and is limited to the beginning of analysis from layer 3 (non-management of tunnelling).

In summary, it is indisputable that protocol analysis is vital to network supervision. It is also undeniable that the reliability of current solutions is hampered by the explosion in flows and the increasing complexity of networks.

NANO Corp: next-generation solutions for monitoring your networks

With revolutionary protocol analysis technology, NANO Corp solutions complement and enhance the current tools in place on your systems.

Florian Thebault
December 13, 2022
Share
LinkedIn LogoX logo

Ready to unlock
full network visibility?

More blog posts

Go to the blog