bloxHub

www.infoblox.com/community
4 posts / 0 new
Log in or register to post comments
topic-opened
Encryption in the enterprise
#1 Wed, 01/16/2008 - 04:39
Encryption in the enterprise

A lot of enterprises are now enabling flow data collection (netflow, IPFIX).  Do you see the encryption of data and the use of port 80/443 for tunneling between systems as limiting flow data utility in the next few years?

So far, I've not seen a lot of NBAR use, which might enable identification of application flows on port 80.  Encryption makes NBAR useless.  A CMDB that contains info about the servers hosting a given application could potentially be used to identify encrypted flows (there's some risk to mis-identification there, but it may be some better than having no visibility at all).

What I would like to see (if I were running a network) is some visibility into where apps are running on the network and the infrastructure over which they are running.  The goal is to be able to answer questions like "I need to do maintenance on core switch X; which business apps/services will that impact?" or "We need to move server Y; what other systems depend on it (i.e. use/access it)?". 

Comments, please! 

  -Terry
 

+1
0
-1
Tags
Automation Change Manager
Top
Re: Encryption in the enterprise
Fri, 02/01/2008 - 03:16
Re: Encryption in the enterprise

 Provided connectivity between systems is using the correct recognized ports; having the data encrypted isn't really going to affect Netflow/IPFIX all that much.  However, if vendor X decides to tunnel or encrypt all traffic over http, then yes Netflow/IPFIX will reporting will be diminished.  We'll still see and report the communication between systems, but we won't be able to trust the traffic being reported as http is really http.

In a perfect world our users would contact us and let us know what systems they are deploying, what protocols it will use and who it will communicate with.  The reality is we're kept in the dark as to what applications are being deployed, that is until we make a network change that breaks that application.

+1
0
-1
Top
Re: Encryption in the enterprise
(Reply to #2) Fri, 02/01/2008 - 04:40
Re: Encryption in the enterprise

I agree that the value of flow data is diminished if applications use tunneling.  There seems to be three pieces of useful data:

1) which devices are communicating

2) What application is it

3) How much data is moving

From this data, one would hope to be able to identify the business process being supported and know when that business process was impacted (either negatively or positively).  With tunneling/encryption, we would not be able to identify #2 without outside assistance.  This is probably where a CMDB enters the picture.  If you know of the association of systems with each other and a reasonable amount of data is moving, then it is probably interesting enough to find out what the application and business process is and enter that into a CMDB so you can track it.

My thought is that automating the collection of as much data as possible helps reduce your workload and makes you aware of new applications that are added to the network without consulting you.  Being aware of the application, you can pro-actively determine what it is so you're not blind-sided when something impacts it.

Does this sound reasonable, or do you think there's not much benefit from the data without knowing the application or business process?

Thanks for the feedback!

-Terry 

+1
0
-1
Top
Re: Encryption in the enterprise
(Reply to #3) Fri, 02/08/2008 - 01:16
Re: Encryption in the enterprise

 I think you make a reasonable argument for some type of CMDB.  But an even a bigger issue with tunneled/encrypted data and getting valid Netflow statistics is when QoS is thrown into the mix.  

To adequately provide differentiated services you would have to know what your application and business processes are.

+1
0
-1
Top