Multiple SIEM Dilemma – UDP Forwarding
By Mike Patterson, Founder and CEO, Plixer
In large enterprise environments, the security teams are often completely autonomous from the network team. They purchase separate tools to do their jobs and they keep the data separate as well. This results in an unwillingness to share resources such as access to the SIEM for running searches.
The separation of responsibilities can also result in double purchases of exactly the same solution (E.g. SIEM) and sometimes this division can create obstacles. Take for example devices such as routers and switches that send UDP traps, NetFlow or IPFIX. Some of these devices can only send these messages to one or two destinations. When the security and network teams both need the same data to multiple systems within their group, the one or two destinations from the hardware just isn’t enough. When this problem surfaces, both teams turn to UDP Forwarding.
UDP Forwarding is a process where UDP messages are sent from one or more devices to a UDP Forwarder. The UDP Forwarder duplicates the messages and forwards them out to multiple servers by changing the destination IP address. The source IP address however, is not modified. As a result, the device performing the UDP forwarding is completely transparent to the destination.
A UDP Forwarder is sometimes referenced as a UDP Fanout and the biggest benefits gained from them include:
- Reduction in the amount of traffic on the corporate network
- Reduces the CPU load on routers and switches as they only have to send UDP messages to one location
- Lessen the configuration work load. Imagine ~1000 routers that need to send NetFlow, sFlow, IPFIX or syslogs to a second IP address
- Allow both network and security administrators to receive the same log messages while maintaining separate systems.
Perhaps one of the biggest benefits is that they assist companies with regulatory compliance requirements by ensuring that a backup of all system messages and notifications are sent to multiple locations. Security administrators gain peace of mind knowing that they definitely have the data required should an audit become necessary.
When evaluating UDP Forwarding solutions, there are several features to keep in mind. Will the solution:
- Detect when the destination hosts (i.e. UDP Collectors) are offline and stop forwarding traffic to them?
- Provide a way to measure performance of the UDP Forwarder and the volume of individual UDP streams that it is receiving?
- Is the solution easy to configure and does it scale for larger environments (i.e. can it operate at wire speed).
- Provide fault tolerance and redundancy in case of a failure?
UDP Forwarding is not a big multi million dollar industry but, it definitely solves a unique problem in companies where departments need to keep the data they are working with completely hidden from other departments.