IDS early bird gets the worm

Intrusion detection and prevention systems are typically generalists, scanning network traffic and alerting you to any kind of threat or anomaly. Arbor Networks’ Peakflow X is a specialist, using anomaly-based detection techniques specifically to thwart unknown or “zero-day” worms. If you’re running Check Point Software Technologies or Cisco network gear, you can even automate port blocking to choke off propagating worms, while allowing legitimate traffic to pass through.

The Peakflow X solution consists of two hardware appliances: Collector, which monitors traffic, and Controller, which gathers information from one or more Collectors. Collector is not an in-line device designed to block harmful traffic, nor is it typically deployed at the perimeter. Arbor suggests deploying Collector at the network core or near the datacenter, where it can monitor communications among many hosts.

Peakflow X focuses on the relationships of machines in the network. It learns which machines talk to which, which ports they use, and so on, ultimately producing a spatial model of normal communications that it uses to flag worm-propagating behavior -- the steps a worm takes to seek out and infect other machines across the network. 

Peakflow X provides invaluable information for combating a worm attack. The first thing it did when attached to our network was passively map the network. Located on the map is a search button that allowed us to find machines that were communicating using any specific port. The map also displays ports in use and active conversations between hosts.

Peakflow X has a Safe Quarantine function that works with Check Point firewalls, Cisco routers, and Cisco Catalyst 6000 series switches. At the click of a button, Safe Quarantine creates an ACL (access control list) that blocks unauthorized traffic to an identified port while allowing authorized traffic to get through. By mapping port usage and whitelisting authorized traffic, Peakflow X effectively chokes off the worm. Of course, if your network isn’t built on Cisco, you’ll need to perform port blocking manually.

Arbor’s technology is unique, and it gives users a peek at the cutting-edge whitelist prevention systems to come. The $100,000 sticker price won’t appeal to budget-conscious shops, but Peakflow X is a darn good worm-defense system, and we look forward to watching this technology mature -- and hopefully integrate with a broader range of network gear -- in the future.

-- Mark A. Givens and Charles D. Herring of the Naval Postgraduate School contributed to this review.

(Return to the special report)