Understanding How Network Traffic Flows Using Modeling and Advanced Analytics

Ensuring that your network is available day-in and day-out to support revenue-generating services is no easy task. Add in continuous uptime for critical internal processes, maintaining security policies, keeping risks in check and you’ve got a real challenge.

These challenges are only compounded by today’s enterprise network environment:

  • Enterprise networks contain multiple device types and heterogeneous vendors which need to be managed and understood, requiring a large staff with broad expertise.
  • Daily, sometimes hourly, network changes expose your organization to new unknown risks and security policy violations.
  • Without visibility into your network topology and configuration, decisions about network changes are tougher, take longer and are more likely to introduce errors.

When not managed properly these challenges translate to operational headaches for network administrators including:

  • “Testing” changes on the live network
  • Causing downtime to critical business services
  • Extensive time required to troubleshoot connectivity issues
  • New network security exposures being left open to attackers

The simple truth is that today’s enterprise networks are too complicated and complex to manage manually. An automated network path analysis solution is the only way to maintain uptime and keep your network secure.

Network path analysis is an algorithmic approach that leverages network modeling and off-line simulation to understand how traffic flows in a network. Using network modeling and simulation, Skybox’s patented Access Analyzer considers all network devices such as routers, switches, load balancers, firewalls and IPS, and the way they interact with each other in a complex network topology.

Access Analyzer calculates and visualizes end-to-end network path analysis from any source to any destination, displaying specific access rules for each device to allow or deny traffic and easily compare all ACLs, routing rules, NAT, proxies, VPNs and more for the most accurate access analysis.

This powerful capability is used frequently by our customers to help identify problems, troubleshoot issues, and confirm access. Furthermore, this analytic approach is a foundation for many security tasks, including identifying potential attack paths, ensuring proper network zoning, and calculating risk imposed by vulnerabilities.

When considering an automated network path analysis solution, evaluate these essential capabilities:

1. Accuracy – to analyze complex, heterogeneous networks

2. Performance – to quickly query multiple paths and scale to any size network

3. Actionable intelligence – to ensure that network and security operations teams can act on the data quickly

Accuracy

Accuracy is the most important aspect of any security application. Working with inaccurate or incomplete information has led many security teams to waste time patching and remediation problems that don’t exist.

The bigger issue is that network blind spots compound the risk because the network and security teams are unconsciously unaware. Insufficient device support is a major hurdle for most organizations. If you can’t see the device, you can’t calculate the risks.

Skybox currently supports more than 80 devices and we add more every six weeks. All of the applicable devices supported by Skybox are included in our Access Analyzer calculation, including routers, switches, firewalls, and even IPSs. Skybox customers don’t waste time trying to understand which devices are fully supported and which are not, potentially limiting the visibility of your attack surface.

Performance

Analyzing large enterprise networks with speed and accuracy can be the Achilles’s heel. As a network grows in size, the ability quickly analyze routing ruleset combinations becomes exponentially complicated. Point-to-point access checks or ping and traceroute simply don’t provide the speed or the scale required for today’s enterprise networks.

Access Analyzer allows calculations between multiple sources and destinations – analysis is not limited to single IP/service pairings or managed networks. As shown in the image below, Access Analyzer allows for broad queries such as, “show me where I can access my network from the internet and how”.

Actionable Intelligence

Ping and traceroute are the go-to tools for most network engineers asked to check access between two points on a network. These applications have a several weaknesses:

  • They need to be run from the source machine
  • If you encounter a device where you are blocked or that is not properly configured, you may not receive any return data
  • You don’t receive any actionable information about the devices or ACLs traversed

Access Analyzer uses a modeling and simulation paradigm to provide a different approach, working from a network model. Because you do not query the live network, access to the source machine is not required.

Access Analyzer provides information for both successful and blocked routes.  For each access query, Access Analyzers provides ACLs and routing rules for each device along the path, as well as information about the device, regardless of whether you can successfully reach the destination. All of this is shown in the screenshot above.

Access Analyzer is a powerful security and network operations tool to identify risky access paths, troubleshoot availability issues, plan changes, and confirm network connectivity. This short whiteboard below provides more details about how Access Analyzer works. To see Access Analyzer in action, download the Skybox 30-day trial.