As a lot of you probably know, Europe is in the midst of a horse meat scandal at the moment. The main issue is that meat products labelled as beef have been found to contain large quantities of horse meat. So, what can IT possibly learn from this?
One of the first things we can learn is to not trust labels. Most data moving across networks is labelled with specific TCP or UDP port values. The problem is that many applications now have the ability to run over many different port numbers. In fact, applications like Bittorrent will go and figure out what ports are open at a network edge so that it can communicate with other peers. If you see something on your network running over TCP port 80, don’t assume that it is web traffic. It could be anything and if it is traversing your network edge, be very suspicious. If you don’t have something already, consider looking at deep packet inspection technologies which have a better chance of understanding what is been transported in the network packets.
The second thing that has been exposed by the horse meat scandal is the complex food chains which operate behind the scenes. Meat and other food products now move vast distances between producers and brokers before it finally ends up on your plate. The more links in the chain, the greater the risk of contamination. Just like in the food industry, the Internet has been transformed into a complex infrastructure of hosting and data routing services in recent years. Gone are the days when you would download or stream content directly from the producer.
Content delivery networks (CDN) and cloud services have made a huge impact with the way content is stored and distributed. When data is uploaded to these services, it is immediately replicated across the globe so that end users have fast access to local copies. It also gets rid of the single point of failure when content is hosted on a single site.
These methods for hosting and distributing data can cause problems for some network monitoring tools. On many networks a review of flow records or log files will show lots of bandwidth been consumed by CDN services. You can do a simple test to see an example of this. Use a packet capture application like Wireshark to monitor traffic while you access your favorite video hosting site. Do a Whois lookup of the IP address of the remote server and you will find a different company associated with it from the service you accessed in the first place. The good news is that there are tools out there that can report on both the IP addresses and the websites users are accessing. Look out for features like the ability to capture HTTP headers and DNS query traffic.
As the horse meat scandal is revealing, unknowns can enter the food chain when the proper controls and inspections are lacking. The same applies to your network. Without the proper tools and network visibility in place, unknowns can enter your network. These can then cause a range of problems like excessive bandwidth utilization and issues with network security.