Everyday networks are being hammered with multiple types of threats, coming from a variety of sources. To make matters worse, these threats often use sophisticated techniques to be undetected by traditional security methods. Proliferation of IoT devices increase these risks as most IoT devices often use non-standard protocols, non-standard stacks and limited or no support for supplicants.
Cisco is always ahead of the curve when it comes to providing the defensive mechanisms and security tools way before the competition. One such mechanism, Cisco Digital Network Architecture (DNA) offers the scalability, resiliency and ease of operations all while strengthening your network security.
Accuracy and speed of detection is the key in detecting and mitigating attacks. So it’s essential to analyze every packet flowing through the network, whether its east-west traffic or north-south traffic. The larger the number of data set, the more accurate the attack prediction and the quicker the attacker detection will be realized. This also means less false positives.
Recently, the independent testing lab Miercom pitted Cisco against HPE/Aruba in a test to see who had the best level of visibility to provide stronger securiry. Spoiler alert: it was Cisco!
Cisco NetFlow is a powerful technology that gives you visibility into your entire network activity—from the wired switches to the wireless controller to your access points. Cisco Unified Access Data Plane (UADP) ASIC is designed to handle large packet analysis without compromising the switching performance.
Contrary to Cisco, HPE-Aruba relies on sampled flow (sFlow) information to identify threats in the network. But sFlow has a flaw in its name—that the the packet flows are sampled out of a large dataset. What does this mean? It means that there’s a huge probability that attacks or anomalies in the network can easily go undetected because sFlow did not analyzing the entire packet set.
At its highest resolution, sFlow can monitor only 1 out of 50 packets! That’s on the good side as the range can be as high as 50 packets to as low as 16,441,700 packets. So, 49 packets are forwarded over the network without getting detected! As an attacker, I have a great chance to inject malware or anomalies in those unscanned packets in order to be undetected by the system.
What does this mean to the network administrator? The lack of accuracy ultimately leads to blurred analysis and false alarms. How do you know if you’re under attack when there are various traffic patterns on the network? Some of these traffic patterns are volumetric, or some are short and in bursts. Miercom ran a number of traffic sets on the wire and compared how Cisco with Full Netflow compared to Aruba’s sFlow implementation.
It wasn’t good – for Aruba.
Cisco achieved 100% accuracy as oppose to HPE-Aruba’s 2% accuracy (at most aggressive configuration). Furthermore, Cisco precisely identified the attack signatures, source of attacks and the attackers. HPE-Aruba did not support the sFlow on wireless offering. So, for HPE-Aruba’s solution, it’s always hit or miss and often depended on traffic type and volume.
As you know, traffic type and volume are two variables that a network administrator can never count on as being consistent.
Once the threat is identified, Cisco can employ mitigation techniques like quarantining either the attacker or the infected user device by use of a sophisticated techniques like CoA (Change of Authorization) using Scalable Group Tags.
Miercom also evaluated Cisco’s Network as a Sensor (NaaS) and Network as an Enforcer (NaaE) solution against the HPE-Aruba’s crippled security offering. The report proved that Cisco is much reliable, accurate and dependable when it comes to network security.
Bottom-line: Cisco’s heavy investment in the custom silicon ASIC offers the peak performance with the granular traffic analysis without impacting switching & forwarding performance. Network as a Sensor & Network as an Enforcer offers complete solution to identify threats and anomalies and take immediate action to secure entire network infrastructure.
Download the complete Miercom report here.