Intrusion Detection: Arbor Networks' Peakflow X 3.6

Arbor Networks' Peakflow X 3.6

This article can also be found in the Premium Editorial Download: Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions:

INTRUSION DETECTION


Peakflow X 3.6
REVIEWED BY SANDRA KAY MILLER

Arbor Networks

Price: Controller hardware starts at $42,000; Collector hardware ranges from $18,000 to $76,000, depending on configuration

@exb

@exe

Arbor Networks' Peakflow X 3.6 is a powerful behavior-based flow analysis tool that empowers enterprises to protect the inside of their perimeter from zero-day exploits, worms, spyware, phishing, pharming and botnets, as well as employee abuse and theft.

Peakflow includes two rack-mounted server appliances. The Collector gathers and analyzes flow either at the router level (NetFlow, sFlow, cFlow) or by capturing network packets. The Collector passes data to the Con-troller, which builds a comprehensive view for trending and reporting and stores information.

Configuration/Management B
Thanks to the quick start card, setup wizard and excellent documentation, it wasn't too difficult getting the Controller and Collector up and running through Arbor's secured browser-based interface.

A word of caution: Complex corporate environments have many types of data flows. Taking full advantage of Peakflow's capabilities requires in-depth knowledge of these data flows and how they relate to internal applications and network infrastructure.

Policy Control A
The usual problem with most intrusion detection and prevention systems is false positives hampering legitimate network traffic. Peakflow X examines relationships between network objects that regularly communicate with each other, building policy based on normal flow behavior to reduce false positives.

Policy can be applied at the network level to hosts, servers, IP addresses, ports and protocols, as well as through relational modeling between segments, such as the access to Web services and FTP. Administrators can define policy on a case-by-case basis according to alerts and violations as they occur for granular tuning.

Effectiveness A
We threw multiple common internal threats—rogue wireless access points, network worms and spyware—at Peakflow X, in addition to implementing user restrictions. In each instance, the product successfully detected and responded to the anomalous behavior.

In addition to detection, Peakflow X can provide automated responses to selected threats or policy violations through Check Point Software Technologies' firewalls or on Cisco Systems' 6000 series switches.

We set policies that monitored and reported on acceptable port objects, such as corporate VoIP applications and streaming media, while identifying and blocking forbidden apps including freely distributed VoIP services, such as Skype, and peer-to-peer (P2P) networks.

Not having to rely on signatures to provide this level of proactive security against threats and exploits is a big plus. Arbor relies on its Active Threats Feed to update the Peakflow X database with the latest threat profiles—fingerprints of known behavior that is characteristic of botnets, host scanning and P2P.

Reporting A
Peakflow X provides automated and on-demand comprehensive reporting through its Web interface. Existing templates are easy to modify, and customized reports can be created with a few clicks through the Web interface. Our favorite reports were Top Talkers, a quick view of the most active hosts, users, ports and TCP/UDP services on the network; and Scan Correlation, which provides a comparative analysis of Peakflow X data and imported Nmap scan data.

Verdict
Peakflow isn't cheap and requires an intimate understanding of data flows, applications and network infrastructure. But, the investment will pay dividends in threat mitigation, and policy monitoring and enforcement.


Testing methodology: The Peakflow X Collector was deployed in our lab to gather flow data from Cisco Systems and Juniper Networks routers, and pass the data to the Peakflow X Controller. After establishing a baseline for a week's worth of network activity, we implemented policies and generated anomalous traffic.

This was first published in November 2006

Dig deeper on Network Intrusion Detection (IDS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close