The number one question we hear at Innoculator from clients is “Where or how should I install the Inspectors?” and to be fair, it’s a good question. Unfortunately, the answer isn’t necessarily straight forward. However, the design rationale and why part of this discussion are for another blog post. Today we will simply ask the question; Do you want Alerting only or the ability to block in real time? And ultimately reveal the answer to the question at the end.

Alerting only

This is by far the easiest deployment for Innoculator inspectors. In this case you install your inspector(s) wherever you like, and then just make use of a Mirror / SPAN port (or network TAP if you have them). This will send a copy of all network traffic heading to the particular workload, and the Inspector will inspect this traffic.  Very easy to set up and has no impact on your network traffic.  Any detections by Innoculator and alerts will be sent to your configured recipient (SIEM, Email, Ticketing system etc).

Innoculator recommends this approach when you are trialing our software, as it is the easiest way to set up and see the value with no interruption. We also recommend first starting as a user to use this approach first, as it allows you to gain real world experience with the system, and how it can be employed, as well as learn where you may benefit from the next approach.

For an understanding on these types of deployments (for you non networking people that is), these links help explain the differences between these approaches:

1. https://www.gigamon.com/resources/resource-library/white-paper/to-tap-or-to-span.html
2. https://www.ntop.org/port-mirror-vs-network-tap/
3. https://www.networkcritical.com/blogs/to-mirror-or-to-tap-that-is-the-question
4. https://insights.profitap.com/tap-vs-span

Inline (Active Blocking)

Inspector sits directly in the network path, protecting applications by analyzing all passing traffic and can be set to block exploit attempts instantly.  This can have an impact on network traffic speeds however, so placement and usage should be considered. One of the key reasons we do not charge for inspector instances is that by installing as many of these as you need, you can mitigate the network impact.

With this in mind, there are a few approaches to deployment you can take. First, and perhaps the ideal option is a 1 to 1 deployment. That is one inspector for each workload you want to monitor for.

This gives you the advantage that the amount of bandwidth required is easy to calculate as it is whatever that application typically uses.  It also means that this inspector is only going to be monitoring CVE exploits that this workload has.

Your second option is to use a 1 to Many approach. In this case you would have your inspector based at the top of a network segment, or really anywhere you like , but have the traffic flowing through an inspector instance. This will mean that the inspector is inspecting the traffic for multiple workloads, but depending on the workloads or traffic (not to mention the hardware  you install the Inspector on!), the impact (if any) on your network traffic will be manageable.

When integrating Inspector for network visibility or threat alerting, choosing between an inline deployment, a mirror/SPAN port, or a dedicated network TAP can have a significant impact on the security posture and monitoring reliability.

Why Not all 3?

Ultimately this is the real correct answer! Some applications you will only need or want to be alerting on. Others a 1 to 1 inspector model, and finally you may have a segment that you want to be able to control using inline as an option. The answer is yes, you can combine all these in the one roll out. Innoculator was designed for this deployment flexibility, and that is why we don’t have a clear-cut answer about what is best practice. It depends on your environment and your aims.