Industry-leading Security Technology
NETSCOUT understands the critical importance of compliance with laws and regulation governing the collection and use of personal data. Our solutions assure and protect our connected world. The robust security features of our products are designed to mitigate data risks, such as loss or unauthorized access, destruction, use, modification, or disclosure.
NETSCOUT products allow you to customize a security strategy in several ways, from the operating system and between-system communications to access control of individual modules, role-based data visibility, and packet and data storage configurations.
nGeniusONE servers and Smart Data core platform
In addition to physical security, NETSCOUT provides a variety of methods to customize software usage and viewing rights, as well as what packet data is stored and displayed.
Role-Based Access Control (RBAC)
Administrators can assign privileges and access rights to specific users or groups, restrict who can administer the software, view certain modules, perform packet decodes or playback media, and view user identity data, if that data is chosen to be stored.
NETSCOUT supports either local authentication or integration with RADIUS, LDAP, Windows Domain/Active Directory, Cisco ACS/TACACS, and SiteMinder.
Configuration options on both the nGeniusONE server and Smart Data platform can be used to mask different types of data, such as credit card PANs, Cell IDs/IMSI/MSISDNs, and URIs. Data can be masked while it is classified for storage, or stored but hidden from display based on user privileges (RBAC).
Packet Slicing/Recording/Session Data
One of the most powerful features NETSCOUT offers is an incredibly granular ability to control exactly what is processed per application, and for some applications, per appliance and per IP address (using VIP list). Recording bytes can be set as a default for the whole server, as well as per application for full packet, no packets (just provide metrics), fully optimized (AST for select applications using a patented process that stores substantially less data), or by packet start or application payload.
Further granularity can be configured at the appliance level to reduce the slice size stored per interface. Similar controls can be applied per application, and for certain features per interface, and for storing session records.
Administrators can configure the addresses to monitor using My Network, and by defining named communities for client, server, telephone, and “VIP” (IP, MSISDN, or IMSI) addresses. The VIP list feature includes even more granular control for grouping and packet/session storage.
Data is protected at the classification source by limiting access using host-based access control lists.
Data on the server and appliance is aged out on a scheduled basis. Certain data types support independent configuration of the classification table, if desired.
NETSCOUT Arbor DDoS Solutions
purchasing appliances with self-encrypting drives (SEDs), hardening passwords, disabling root logins over SSH, enabling STIG compliance, configuring secure communication between the server and appliance, setting up read/write access control for hosts and data requests, directing logs to external servers, disabling ctrl-alt-delete reboots, customizing ports, and leveraging other security features described in the Arbor DDoS user documentation.
In addition to physical security, NETSCOUT Arbor DDoS solutions can help organizations establish appropriate measures for the secure processing of data. These solutions incorporate data protection by design and default principles such as:
All control plane communications between NETSCOUT Arbor solutions, as well as administrative connections, are encrypted via secure protocols SSH and HTTPS.
All Arbor DDoS solutions provide a built-in firewall to restrict access to authorized IP addresses only, which limits accessibility of data.
All Arbor DDoS solutions provide authentication of users by means of a local database or by means of external TACACS/RADIUS systems, thus enabling, for example, two-factor authentication mechanisms. Local password security policies can be enforced as well.
All Arbor DDoS solutions provide granular authorization mechanisms enabling system administrators to restrict access to specific product features.
All Arbor DDoS solutions provide accounting of user actions, either locally or by means of external TACACS/RADIUS systems.
Arbor DDoS solutions provide other built-in capabilities which are designed to further reduce risks associated with the data being processed:
- Arbor SP can be configured to limit the amount of raw flow telemetry records that are stored and set the maximum age before automatic deletion of the flow telemetry records.
- Arbor TMS can be configured to limit the number of IP packets that can be captured per interactive capture.
- Arbor APS can be configured to limit the number of IP packets that can be captured per interactive capture and provides a way to limit the age of data stored in the system.