Mar 28, 2008 (08:03 PM EDT)
Rollout: Profiler Spots Bad Guys
Read the Original Article at InformationWeek
More than one in four U.S. financial institutions will purchase a network behavioral analysis system this year, according to Gartner. We think that's a believable projection--after all, in this post-TJX world, what you don't know about that's accessing your network can get you fired.
We put Mazu Networks' Profiler to the test in our Boston Real-World Partner Labs and were impressed with its ability to alert on suspicious traffic, though we would've liked more reporting on latency, and the GUI could use polish.
The magic behind NBA products, including Profiler, is the network flow technology found in switches and routers. Cisco helped pioneer the concept with its NetFlow packet flow analysis, based on the IPFIX open standard. NetFlow records provide information that can be used to manage availability and performance and to troubleshoot problems. Extreme Networks, Foundry Networks, and others use a similar open standard, SFlow, that differs from NetFlow primarily in the way data is collected. This Layer 3 network analysis is great for a general bird's-eye view of how your network is being used, but what about security? Today, clever worms and peer-to-peer applications can hop ports, even tunnel inside traffic deemed legitimate. To beat them at their own game, you can use port and/or VLAN mirroring to send a copy of the entire packet to an NBA system like the Mazu Profiler for analysis. This way, the unique characteristics of worms and P2P apps can be detected through deep inspection. The Profiler we tested can accept mirrored traffic at full interface speed via its dual Gigabit Ethernet interfaces. However, the remote office sensor sent for review was capped at a 45 Mbps sample rate--fine for flow analysis, but not fast enough for deep packet inspection.
TAKE A GOOD LISTEN
Out of the box, Profiler attempts to detect attacks and threats based on a scoring system, but we could also configure granular rules and set up alerts based on almost any combination of source/destination network, host, port, application, interface, and so on. To simulate how Profiler would react to a port scan, we used nMap to execute a TCP SYN sweep against one of our file servers. Almost immediately, we received an e-mail alerting us of the scan, with a PDF attachment containing details about the attack.
We then configured a rule to watch for IM traffic on a subnet and told Profiler to warn us of attempts to create a large number of TCP/25 connections. Like clockwork, Profiler sounded the alarm when we kicked off an AIM session and when we simulated an SMTP mailbot and attempted to hijack open relays on our internal subnets.
OUT OF THE ORDINARY
Next, we turned our attention to Profiler's heuristical scanning capabilities. Once a database of normal network activity is in place, you can ask Profiler to make alerting decisions when abnormal network events are detected.The subject of our test attack was a SQL Server instance at the back end of a critical application in our test environment. The attacker was a Windows XP laptop that we placed on a valid internal subnet. The catch is that Profiler had never seen traffic between a host on this subnet and the SQL Server, so this communication was clearly an out-of-the-ordinary event that a security admin would want to know about. Profiler at first failed to automatically alert us; however, once we turned up the sensitivity of the scoring system, we were able to get an alert generated. Profiler provides the ability to predetermine how many more alerts would be generated by changing the sensitivity of the scoring system, enabling IT to find a good balance between safety and an overwhelming number of alerts.
Last on our security checklist was remediation. Profiler integrates with third-party vulnerability scanners and intrusion-detection systems, so additional reporting, alerting, or actions can be executed based on any conceivable network condition. We decided to have some fun with this by disciplining employees using prohibited P2P apps. We configured Profiler to launch a DoS-like counterattack on unauthorized P2P users by executing an aggressive Nessus scan of their systems to detect vulnerabilities. You can also give the Profiler SNMP read/write access to switches to automatically shut down the switch ports of users not adhering to policy. If outright counterattack is too aggressive for your environment, you could rely on Profiler's integration with Active Directory and DNS to provide the host name and currently logged-in user ID in your Profiler reports, then follow up.
Finally, while we were impressed overall with Profiler's core data and alerting, there were limitations in the reporting structure. We would have loved to see a Profiler report that displays round-trip network latency between hosts, for example, and there's no reporting on quality-of-service tags, so VoIP shops can't count on Profiler to verify end-to-end QoS over WAN links. Mazu says both functions will be added soon.As you may have surmised, this puppy is expensive. Mazu would not reveal list pricing for the gear under review; however, our research suggests the product set we have in our lab, which includes dual copper gigabit collector ports and the 45-Mbps remote office sensor, would list for between $60,000 and $80,000. Still, despite the hefty price tag, we believe large enterprise networks will get their money's worth from network behavioral analysis. In fact, we're so intrigued by this space that we have a Rolling Review in the works. Stay tuned.