Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
1
FEBRUARY 2021
TRAFFIC
INTELLIGENCE
WWW.ENEA.COM
QOSMOS LIBDEVICE 2.0A NEW WAY TO BRING DEVICE AWARENESS TO ACCESS NETWORK MANAGEMENT & SECURITY
SOLUTION BRIEF
22TRAFFIC INTELLIGENCE
WWW.ENEA.COM
The number of devices connected to IP networks will be more than three times the global population by 2023.
Many of those connections will pass through enterprise networks as workforce mobility, bring your own device (BYOD) practices, cloud and edge computing, and the Internet of Things (IoT) redefine the boundaries of the digital enterprise.
Managing the volume, variety, and transience of connected devices today requires automation, virtualization, and the distribution of connectivity and computing
resources. This in turn requires universal, real-time device visibility.
?
?
?
??
?
?
33TRAFFIC INTELLIGENCE
WWW.ENEA.COM
QOSMOS LIBDEVICE 2.0 100% Agentless & Passive Safe, high-performance use in all access networks
Best-in-Class Coverage & AccuracyGranular, accurate identification of 50K+ types of consumer, enterprise, and industrial devices
Embedded Software (SDK+API)Maximum product flexibility and revenue potential
Single-Source SolutionOne supplier for traffic and device classification for fast time-to-market and offloaded development and maintenance
The LibDevice 2.0 software module helps vendors achieve global visibility by identifying devices traditional solutions either can’t classify, or can’t classify with the level of performance, safety, accuracy or granularity that networking and security solutions require.
Available as an optional module with the Qosmos ixEngine® and Qosmos® Probe, LibDevice 2.0 is an agentless, passive
solution that delivers precise, detailed profiles of around 50K+ types of consumer, enterprise, and industrial devices.LibDevice 2.0 combines breadth of coverage, embedded deployment, and non-intrusive technology, making it the
ideal tool for boosting the device recognition capabilities of existing products, or creating entirely new device-awareproducts—quickly, easily and profitably.
To better understand the solution and how it can benefit your products, we will look at the challenges of current device classification methodologies, then help you to determine if a passive, agentless method is right for your product, and, finally, we will explain how LibDevice 2.0 works.
44TRAFFIC INTELLIGENCE
WWW.ENEA.COM
Install software agents and certificates on devices
Agent & 802.1X
Ping, poll, scan or query infrastructure and/or connected devices
Agentless & Active
Qosmos LibDevice 2.0
Use device fingerprints extracted from traffic flows to classify devices
Agentless & Passive
DEVICE CLASSIFICATION METHODS
55TRAFFIC INTELLIGENCE
WWW.ENEA.COM
VISIBILITY GAPS WITH AGENT & 802.1X METHODSIn traditional, fully managed environments, the conventional method of classifying endpoints connecting to LANs and WLANs has been to install software agents on devices, or to use hardware tokens, digital certificates or login credentials within an 802.1X device authentication system. Today, these methods alone are insufficient.
New Visibility GapsThe new network is hybrid, composed of on-premise, edge and cloud resources connecting a wide variety of personal, guest and
corporate IT, OT and IoT devices. In this context, conventional classification methods can be impractical, insecure or simply impossible. This leaves significant visibility gaps in device awareness.
Longstanding GapsIn fact, visibility gaps have always been a problem with conventional methods because agents, tokens and certificates can be missing, misconfigured, or outdated, or login credentials and
authentication protocols compromised. One way to fill these gaps is to use either agentless active or passive methods.
What level of risk do you feel is posed by a lack of visibility into the devices on your network?
Very High High
LowMedium
Unknown/UnsureVery Low
7.3%
29.8%43.9%
2.0% 2.0%
15.1%
2020 SANS Network Visibility & Threat Detection Survey
66TRAFFIC INTELLIGENCE
WWW.ENEA.COM
Agentless active methodologies used in combination with other classification methods can yield detailed and accurate device profiles.
However, they can be resource-intensive and impact performance. They can also trigger false alarms in threat detection and response systems. This is why many end
point solution vendors now block polling, port-scanning and similar network requests.Other active methods require access credentials for numerous security and management solutions in order to
function. And these too are restricted or prohibited in many networks, especially in critical networks and hybrid IT/IoT/OT networks.
In these scenarios, a 100% passive, agentless method is needed.
WEAKNESSES OF AGENTLESS ACTIVE METHODOLOGIES
Agentless active methodologies include:
Polling network infrastructure (e.g., switches and controllers) using Nmap and other network scanning tools.
Querying third party resources like directory services, endpoint security agents or databases for device information.
Inspecting end devices directly using SSH, Nmap scans, SNMP queries, or remote procedure protocols like MS-RPC and MS-SMB.
?
7
WWW.ENEA.COM
TRAFFIC INTELLIGENCE
THE VALUE OF PASSIVE, AGENTLESS CLASSIFICATION
Correlating multi-layer, L2 to L7 fingerprints boosts profile granularity and accuracy, which enables more effective security and traffic management policies, and improved threat detection and incident analysis
Phone, Tablet or Wearable > Phone > Apple iPhone > iPhone 7 > Apple iOS > iOS 14
Laptop > Lenovo > Thinkpad > Thinkpad T41 > Window XP > SMB v1
Gaming Console > Nintendo Gaming Console > Nintendo Switch
Industrial Automation/Siemens Industrial Automation/Siemens Climatix Controller/Siemens POL908
Audio, Imaging or Video Equipment/Camera/Surveillance Camera/ABUS IP Camera/ABUS TVIP61560
Passive, agentless device classification uses access network traffic as a source of intelligence about devices. It uses passive monitoring of packet flows via SPANs or TAPs and, with or without decryption and deep packet inspection, it extracts and computes the device metadata (fingerprints) needed to build device profiles. It then compares the device profiles against known fingerprints for accurate identification.
This makes this method a good choice for closing the device visibility gaps in agent-based systems, and for networks in which active agentless methods are undesirable or prohibited.
All Passive Methods Are Not Equal. Most passive, agentless solutions use data from limited layers in the network stack. This inevitably causes the generality of
classifications to increase (i.e., reduced granularity), and confidence scores to decline.
But, if one correlates multiple, diverse device fingerprints across the full L2 to L7 stack, accuracy and granularity improve dramatically. This is the methodology used by LibDevice 2.0.
8
WWW.ENEA.COM
8TRAFFIC INTELLIGENCE
”“IS THE PASSIVE, AGENTLESS
METHOD RIGHT FOR YOU?A Complementary or Primary Rolein Access Networks
If your product currently uses agents or 802.1X methods or data, and your goal is to close device visibility gaps, then both passive and active agentless classification can be effective complements.
However, if 1) active methods are forbidden, or 2) you need maximum performance, or 3) security concerns are paramount, as in critical networks or hybrid IT/OT environments, then a 100%
passive, agentless method is the best complement.If your product does not currently use agents or 802.1X methods or data, and your goal is simply to create new device-aware policies or enhance analytics, then a 100% passive, agentless approach is likely
all your product needs.
No Role or a Complementary Rolein Cloud & WAN Environments
If you must have precise device identification outside of access networks (for example, in direct-to-cloud connections), you should keep agent-based and/or active classification techniques in your toolbox. However, an agentless, passive tool still plays a vital role in solutions that integrate data across
hybrid environments.
For example, if you are a provider of cloud-based networking and security products, or a provider of SIEM or SOAR platforms, you can ingest passive device classification generated in access networks, and correlate it with device data gathered through other methods in order to reduce visibility gaps and improve analytics and policy development.
Agentless methods fill critical device visibility gaps, with product requirements and network characteristics determining whether passive and active methods should be used alone or together.
9TRAFFIC INTELLIGENCE
WWW.ENEA.COM
Use with Qosmos ixEngine to enhance: Next Generation Firewalls
SD-WAN Solutions
Data Loss Prevention Products
LAN/WLAN/EDGE Routers & Switches
Identity and Access Management Products
Endpoint Management & Security Solutions
Threat Detection and Response Solutions
QOSMOS IXENGINETHE LIBDEVICE 2.0 SOFTWARE MODULE: 100% PASSIVE, AGENTLESS, L2-L7 DEVICE FINGERPRINTING
Network Flow: Physical, Virtual, Cloud, Mobile, Enterprise
Copies of Raw Packets
Physical or Virtual Appliances
Qosmos ixEngine
Policy EnforcementLibDevice 2.0
Analytics
10TRAFFIC INTELLIGENCE
WWW.ENEA.COM
Use with Qosmos Probe to enhance: Network Traffic Analysis
User and Entity Behavior Analytics
Intrusion Detection
Security Information Event Management Systems
Security Orchestration, Automation and Response Platforms
Endpoint Threat Detection
THE LIBDEVICE 2.0 SOFTWARE MODULE: 100% PASSIVE, AGENTLESS, L2-L7 DEVICE FINGERPRINTING
QOSMOS PROBE
Cybersecurity Analytics & SecOps
Network Flow: Physical, Virtual, Cloud, Mobile, Enterprise
Copies of Raw Packets
Qosmos ixEngine
Qosmos SW Probes(Sensors)
Policy Enforcement
Cybersecurity Applications
LibDevice 2.0
1111TRAFFIC INTELLIGENCE
WWW.ENEA.COM
The LibDevice 2.0 module is an optional software library (SDK) available with the Qosmos ixEngine® or Qosmos® Probe.Qosmos ixEngine extracts device metadata (a.k.a. fingerprints) from network traffic flows, and provides this data to the LibDevice module for device identification. If the device matches the profile of known devices stored in the local LibDevice look-up table, the device classification is then shared with the relevant networking or cybersecurity solution.
If the device is new or unknown, the data is sent via a REST API to a cloud fingerprint repository for identification. The device classification (along with a confidence score for the identification) is then returned via the API. This classification data is then provided to the appropriate networking or security solution, and added to the local device look-up table.
THE LIBDEVICE 2.0 SOFTWARE MODULE: HOW IT WORKS
Device Key(e.g., MAC) &
Metadata Extracted
from NetworkLocal DeviceLookup Table
Device Profile Sent to
Network or Security Solution
DeviceResolved?
DeviceFound?
Classification Database
Rest API
No
Yes
Yes
12
WWW.ENEA.COM
12TRAFFIC INTELLIGENCE
Networking and cybersecurity solutions use this device classification data to:
Aid network discovery and planning
Improve real-time orchestration of network services
Gain insights into anomalous device behavior
Improve detection of advanced persistent threats
Aid in the development of device-based rules for policy enforcement engines
Deliver essential contextual data for threat analytics and forensics
Facilitate network segmentation and zero-trust controls
Ensure compliance with internal guidelines and external regulations
ACQUIRING THE QOSMOS LIBDEVICE 2.0 MODULE
If you already embed the Qosmos ixEngine or Qosmos Probe in your solution, adding the LibDevice 2.0 module provides a fast and easy way to enhance or extend your offer with state-of-the-art device classification.
Integrating the Qosmos ixEngine or Qosmos Probe with LibDevice 2.0 into your solution will help you enrich and extend your portfolio with high-value context about devices, applications, services, users, data and behaviors.
I’m already an Enea Qosmos customer: I am not yet an Enea Qosmos customer:
BENEFITS 100% passive &
agentless
Fast time to market
Easy, outsourced management & maintenance
High performance
Comprehensive, accurate, granular results
To learn more, download the LibDevice 2.0 datasheet, or contact us to request a product demo
13
TRAFFIC
INTELLIGENCE
WWW.ENEA.COM
Enea is the world-leading supplier of innovative software components for telecommunications, networking and cybersecurity. Focus areas are cloud-native, 5G-ready products for mobile core, network virtualization, and traffic intelligence. More than 3 billion people rely on Enea technologies in their daily lives. Enea is listed on Nasdaq Stockholm. For more information: www.enea.com
Enea’s embedded traffic intelligence products classify traffic in real-time and provide granular information about network activities. The portfolio includes the Enea Qosmos ixEngine and the Enea Qosmos Probe. The products support a wide range of protocols and are delivered as software development kits or standalone network sensors to network equipment manufacturers, telecom suppliers, and vendors ofcybersecurity software.