Industry-leading Security Technology

NETSCOUT understands the critical importance of compliance with laws and regulation governing the collection and use of personal data. Our solutions assure and protect our connected world. The robust security features of our products are designed to mitigate data risks, such as loss or unauthorized access, destruction, use, modification, or disclosure. 

NETSCOUT products allow you to customize a security strategy in several ways, from the operating system and between-system communications to access control of individual modules, role-based data visibility, and packet and data storage configurations. 

Product Security

The following industry-leading privacy and security features enable you to customize how you fulfill data privacy requirements in your environment while still achieving service assurance goals.

nGeniusONE servers and Smart Data core platform

Based on hardened Linux operating systems and updated software packages to reduce security vulnerabilities. Administrators can further secure the server and appliance hardware through such options as purchasing appliances with self-encrypting drives (SEDs), hardening passwords, disabling root logins over SSH, enabling STIG compliance, configuring secure communication between the server and appliance, setting up read/write access control for hosts and data requests, directing logs to external servers, disabling ctrl-alt-delete reboots, customizing ports, and leveraging other security features described in the nGeniusONE online help and InfiniStream documentation.

In addition to physical security, NETSCOUT provides a variety of methods to customize software usage and viewing rights, as well as what packet data is stored and displayed.

These include:

Role-Based Access Control (RBAC)

Administrators can assign privileges and access rights to specific users or groups, restrict who can administer the software, view certain modules, perform packet decodes or playback media, and view user identity data, if that data is chosen to be stored.

External Authentication

NETSCOUT supports either local authentication or integration with RADIUS, LDAP, Windows Domain/Active Directory, Cisco ACS/TACACS, and SiteMinder.

Masking

Configuration options on both the nGeniusONE server and Smart Data platform can be used to mask different types of data, such as credit card PANs, Cell IDs/IMSI/MSISDNs, and URIs. Data can be masked while it is classified for storage, or stored but hidden from display based on user privileges (RBAC).

Packet Slicing/Recording/Session Data

One of the most powerful features NETSCOUT offers is an incredibly granular ability to control exactly what is processed per application, and for some applications, per appliance and per IP address (using VIP list). Recording bytes can be set as a default for the whole server, as well as per application for full packet, no packets (just provide metrics), fully optimized (AST for select applications using a patented process that stores substantially less data), or by packet start or application payload.

Further granularity can be configured at the appliance level to reduce the slice size stored per interface. Similar controls can be applied per application, and for certain features per interface, and for storing session records.

Communities

Administrators can configure the addresses to monitor using My Network, and by defining named communities for client, server, telephone, and “VIP” (IP, MSISDN, or IMSI) addresses. The VIP list feature includes even more granular control for grouping and packet/session storage. 

Read/Write Community

Data is protected at the classification source by limiting access using host-based access control lists.

Aging

Data on the server and appliance is aged out on a scheduled basis. Certain data types support independent configuration of the classification table, if desired.

NETSCOUT Arbor DDoS Solutions

All NETSCOUT Arbor DDoS virtual and physical solutions rely on hardened operating systems and regular software package updates to reduce security vulnerabilities. Administrators can further secure the server and appliance hardware through such options as
purchasing appliances with self-encrypting drives (SEDs), hardening passwords, disabling root logins over SSH, enabling STIG compliance, configuring secure communication between the server and appliance, setting up read/write access control for hosts and data requests, directing logs to external servers, disabling ctrl-alt-delete reboots, customizing ports, and leveraging other security features described in the Arbor DDoS user documentation.

In addition to physical security, NETSCOUT Arbor DDoS solutions can help organizations establish appropriate measures for the secure processing of data. These solutions incorporate data protection by design and default principles such as:

Crittografia

All control plane communications between NETSCOUT Arbor solutions, as well as administrative connections, are encrypted via secure protocols SSH and HTTPS.

Built-in Firewall

All Arbor DDoS solutions provide a built-in firewall to restrict access to authorized IP addresses only, which limits accessibility of data.

Authentication

All Arbor DDoS solutions provide authentication of users by means of a local database or by means of external TACACS/RADIUS systems, thus enabling, for example, two-factor authentication mechanisms. Local password security policies can be enforced as well.

Authorization

All Arbor DDoS solutions provide granular authorization mechanisms enabling system administrators to restrict access to specific product features.

Accountability

All Arbor DDoS solutions provide accounting of user actions, either locally or by means of external TACACS/RADIUS systems.

Built-in Capabilities

Arbor DDoS solutions  provide other built-in capabilities which are designed to further reduce risks associated with the data being processed:

  • Arbor SP can be configured to limit the amount of raw flow telemetry records that are stored and set the maximum age before automatic deletion of the flow telemetry records. 
  • Arbor TMS can be configured to limit the number of IP packets that can be captured per interactive capture.
  • Arbor APS can be configured to limit the number of IP packets that can be captured per interactive capture and provides a way to limit the age of data stored in the system.