Internet Traffic Visibility
Overview
North-South traffic refers to communications that cross the boundary between an internal network (data center, enterprise LAN) and the external world (the Internet, cloud services, or remote users). Visibility into this traffic is essential for detecting external threats, enforcing security controls, and ensuring compliance.
The ColorTokens Xshield Security Platform provides visibility into North-South communications by collecting telemetry data from hosts through lightweight agents. These agents are installed on servers and endpoints and use packet capture tools (e.g., npcap, libpcap) to monitor live traffic. While East-West (internal) traffic is predominant in enterprise environments, Xshield is equipped to observe and analyze North-South (Internet) communications—both inbound (e.g., from Internet clients) and outbound (e.g., to SaaS providers).
Key Benefits of North-South Visibility
-
Enhanced Threat Detection
- Identifies malicious inbound connections and suspicious outbound communications such as malware callbacks, phishing, or command-and-control (C2) traffic.
- Enables detection of data exfiltration or compromised assets communicating with known bad IPs or domains.
-
Faster Incident Response
- Provides context-rich telemetry for investigating attacks, tracing their origin, and mitigating threats quickly.
- Enables visualization of attack vectors and suspicious Internet access patterns.
-
Regulatory Compliance
- Assists in meeting GDPR, HIPAA, PCI-DSS, and other regulatory requirements by tracking sensitive data movements to/from the Internet.
- Maintains logs and audit trails for forensic analysis.
-
Zero Trust Enforcement & Microsegmentation
- Complements Zero Trust security by validating Internet traffic before allowing access.
- Supports segmentation policies by identifying the source and destination of traffic at a granular level.
-
Cloud & Remote Access Security
- Detects and profiles outbound traffic to cloud services (e.g., AWS, Azure, SaaS platforms).
- Provides visibility into remote user access and detects anomalies or misuse.
-
Proactive Threat Hunting
- Uncovers early indicators of compromise (e.g., brute-force attempts, credential stuffing).
- Helps analysts search for emerging threats using Internet communication patterns.
How Xshield Provides North-South Visibility
The Xshield agent is designed to provide scalable and efficient tracking of North-South traffic. Due to the vastness of public IP address space, the agent adopts an optimized approach:
Default Behavior
-
Inbound Traffic: By default, all incoming connections from the public Internet are aggregated based on the destination service (i.e., port/protocol on the host). This minimizes overhead while still offering service-level visibility.
-
Outbound Traffic: Connections to Internet destinations are grouped by destination domain (e.g.,
*.microsoft.com), not individual IPs. This simplifies visualization and reduces resource consumption, especially in user endpoints or proxy-based environments. -
Proxy/Load-Balancer Environments: Since real source or destination IPs are often hidden behind proxies or load balancers, the agent design avoids attempting to track each unique flow, which would be impractical or impossible.
This default configuration ensures minimal resource impact on the host while maintaining useful visibility for most enterprise use cases.
Advanced North-South Visibility (Per-IP/Flow)
When more detailed visibility is required—such as identifying specific bad actors exploiting broad whitelisting policies—Xshield provides an advanced visibility feature that enables per-IP tracking of North-South communications.
Use Case Example
An operator might allow inbound access to a server on port 443 (HTTPS) without restricting the source IP due to Internet exposure. This creates an opening for malicious IPs to exploit the policy. Enabling per-IP visibility helps detect and isolate such unauthorized access attempts.
How It Works
- When enabled, Xshield agents track and report individual inbound and outbound connections with full IP and port information.
- External IP addresses involved in these communications are logged and reported back to the Xshield platform.
- This detailed data is used for visualization, threat analysis, and policy refinement.
Data Reporting & Optimization
- External IPs and domain-level data are uploaded to the platform periodically (e.g., every six hours), reducing unnecessary data flow.
- The system is built to avoid overwhelming the platform or the user with noisy data such as DDoS traffic or port scans.
Configuration & Licensing
-
This advanced visibility feature is disabled by default to avoid generating excessive telemetry from DDoS or high-volume Internet-facing assets.
-
It must be enabled at the tenant level by the ColorTokens SaaSOps team. Please contact your ColorTokens representative to request activation.
-
Once enabled, users can select specific assets on which to activate North-South visibility based on their operational needs and risk profiles.
-
Internet communication visibility is available only for server agents. It cannot be enabled for user agents.
Operational Considerations
- Performance Impact: Enabling detailed North-South visibility increases the volume of telemetry and may affect server performance slightly depending on the workload and traffic pattern.
- Data Noise: Care must be taken to avoid enabling this feature on public-facing assets indiscriminately, as it may generate a large amount of low-value data (e.g., from botnet scans).
- Visualization Complexity: Overly granular visibility can clutter dashboards and complicate policy management if not carefully scoped.
Summary
The ColorTokens Xshield platform offers a robust and flexible approach to Internet (North-South) traffic visibility. By default, it provides a scalable baseline view of inbound and outbound communications. For enhanced threat detection and forensic capabilities, the platform supports deeper visibility that can be selectively enabled. This dual-mode capability ensures that organizations can balance security insight with performance efficiency, aligning with Zero Trust and compliance objectives.