In today's society, a company may depend upon its network to be fully functionally in order to conduct business. To ensure the vitality of the company, the network may have to be protected from external attacks (such as virus attacks, malware attacks, etc.). Accordingly, the network may be monitored to ensure reliable operation, fault detection, timely mitigation of potentially malicious activities and the like. One method for monitoring the network includes the installation of an inline network tap and one or more monitoring systems (such as intrusion prevention systems, intrusion detection systems, firewalls, packet sniffers, and the like).
To facilitate discussion, FIG. 1A shows a simple block diagram of a network environment. Consider the situation wherein, for example, data traffic is flowing through a network arrangement 100. In an example, data traffic is flowing between a network device 102 and a network device 104. To monitor the data traffic flowing through the network, an inline network tap 106 may be employed.
To ensure accessibility, a company may have parallel lines running to its network. In other words, the company may have two independent network arrangements (network arrangement 100 and a network arrangement 130). Thus, if network arrangement 100 is unavailable (e.g., network arrangement may not be responding due to traffic congestion and/or being offline, for example), data traffic may be routed through network arrangement 130 instead.
To provide a secured network environment, each network arrangement may be coupled to monitor/security systems, such as intrusion prevention systems (IPSs) 108 and 138, for example. Accordingly, data traffic may be routed through one of the IPSs before being routed to its destination. In an example, data traffic flowing through network arrangement 100 may flow from network device 102 through port 110 out of port 112 to IPS 108 before flowing back through port 114 and out of port 116 before flowing to network device 104.
The cost of establishing and maintaining two independent network arrangements can become quite expensive. A typical secured network arrangement can cost at least a few hundred thousands dollars (the cost of a monitoring system may range from about 100 thousands to 500 thousands dollar per unit). However, many companies are willing to accept this cost in order to be accessible while being protected from malicious attacks.
Although the two independent network arrangements (100 and 130) provide for a redundant secured network environment if a data path is unavailable, two independent network arrangements may not always guarantee that the data traffic flowing through either network arrangement 100 or network arrangement 130 is secured. In the aforementioned example, data traffic flowing through network arrangement 100 is flowing through IPS 108. However, if IPS 108 is not functioning properly, network arrangement 100 is still available to direct traffic from network device 102 to network device 104. In other words, data traffic is flowing through network arrangement 100 and has not been diverted to network arrangement 130 since network arrangement 100 is still available (e.g., no traffic congestion). Unfortunately, the data traffic that is flowing through network arrangement 100 is unprotected and may be exposed to external attacks.
For some companies, the cost of being unprotected can be financially detrimental. As a result, a secondary secured arrangement may be employed to ensure that a company's network continues to be available as a secured environment. In other words, instead of a single inline network tap arrangement, the primary inline network tap arrangement is coupled to a secondary inline network tap arrangement. To facilitate discussion, FIG. 1B shows a simple block diagram of a highly available secured network environment 150.
In an example, a secondary inline network tap 176 is physically connected to a primary inline network tap 156. Thus, when data traffic from a network device 152 is received by inline network tap 156, the data traffic is routed through secondary inline network tap 176 before being routed onward to network device 154. For example, data traffic flows through a port 160 through a port 162 to an IPS 158 back through a port 164 and out of a port 166. However, unlike the non-redundant network environment, the data traffic is then routed through the secondary inline network arrangement (through port 180 and out of port 186) before being routed onward to network device 154.
Although an IPS 178 is connected to secondary inline network tap 176, IPS 178 usually remains passive if IPS 158 is functioning properly. However, if IPS 158 fails to be working properly, the secondary inline network arrangement with IPS 178 is available for maintaining the secured environment. In an example, a diagnostic test (such as a single heartbeat diagnostic test) may be performed in which a unique data packet (also known as a heartbeat packet) may be inserted into the data traffic when the data traffic flow from port 162 to IPS 158. If a predefined number of heartbeat packets fails to return to inline network tap 156, a problem is deemed to exist with IPS 158. In order to maintain the secured environment, the network environment may be moved into a secondary mode in which IPS 178 is now providing the protection for the company's network. In an example, data traffic flowing from network device 152 may first be received by inline network tap 156 (via port 160). However, since the network environment is in a secondary mode, the data traffic is then routed out of network tap 156 (via port 166) to secondary inline network tap 176 (via port 180). From there, the data traffic is routed to IPS 178 via a port 182. Data traffic is then routed back to secondary inline network tap 176 via a port 184 before routing the data traffic onward to network device 154 via port 186.
Unfortunately, the switch between a normal mode to a secondary mode does not usually provides a continual secured environment. In an example, if IPS 158 is considered to be in a failed state, a notification may be sent to an operator and the data traffic may then be routed through a different path that does not include IPS 158. For example, data traffic may flow from port 160 out through port 166 to port 180 and out through port 186. The data traffic does not automatically flow through IPS 178 without a signal first being sent to activate IPS 178. In other words, until the signal is received to activate IPS 178, the data traffic that is flowing through the network is unsecured.
The unsecured environment may exist from a few seconds up to a few hours depending upon the time required to activate IPS 178. In an example, if IPS 178 is being activated via a signal (through an algorithm, for example), the network environment may only be unsecured for a few seconds. However, if the IPS 178 is required to be manually activated, the network environment may remain unsecured until a person is able to manually activate IPS 178.
Regardless, during the time the network is unsecured, sensitive data is unprotected and may be exposed to external attack and/or unauthorized access. Thus, even though a company may spend hundreds of thousands of dollars to millions of dollars (the cost of a monitoring/security system may range from about 100 thousands to 500 thousands dollars per unit) to create and maintain a secure network, the company's network environment may not always be secured. In addition, if by chance both IPSs fail to function properly, the network is essentially unsecured and/or unavailable until one or both IPSs can be repaired and/or replaced.