Peakflow X 3.6
Arbor
Networks
Price: Controller hardware starts at $42,000; Collector hardware
ranges from $18,000 to $76,000, depending on configuration
Arbor Networks' Peakflow X 3.6 is a powerful behavior-based flow
analysis tool that empowers enterprises to protect the inside of
their perimeter from zero-day exploits, worms, spyware, phishing,
pharming and botnets, as well as from employee abuse and theft.
Peakflow includes two rack-mounted server appliances running a
proprietary hardened OpenBSD-based OS, with support for both Cat V
copper and fiber Gigabit Ethernet ports. The collector gathers and
analyzes flow either directly at the router level (NetFlow, sFlow)
or by capturing packets on the network. The collector passes data
to the controller, which builds a comprehensive view for trending
and reporting, and stores information for regulatory
compliance.
Configuration/Management: B
Between the quick start card, setup wizard and excellent
documentation, it wasn't too difficult getting both the controller
and collector up and running through Arbor's secured browser-based
interface.
A word of caution: Complex corporate environments have many
types of data flows depending on user group. Taking full advantage
of Peakflow's advanced capabilities requires an in-depth knowledge
of these data flows and how they relate to internal applications
and network infrastructure.
Policy Control: A
The usual problem with most intrusion detection and prevention
systems are false positives hampering legitimate network traffic.
Peakflow X examines relationships between network objects that
regularly communicate with each other and builds a policy based on
normal flow behavior, greatly reducing false positives on
legitimate traffic.
Policy can be applied at the network level to hosts, servers, IP
addresses, ports and protocols, as well as through relational
modeling between different segments such as the access to Web
services and FTP. Administrators can also define policy on a
case-by-case basis according to alerts and violations as they occur
for extremely granular tuning.
Effectiveness: A
We threw multiple common internal threats -- rogue wireless access
points, network worms and spyware -- at Peakflow X, in addition to
implementing user restrictions. In each instance, the product
successfully detected and responded to the anomalous behavior.
In addition to detection, Peakflow X can provide automated
response to selected threats or policy violations through Check
Point Software Technologies' firewalls or on Cisco Systems' 6000
series switches.
We set policies that monitored and reported on acceptable port
objects, such as corporate VoIP applications and streaming media,
while identifying and blocking ones that were forbidden, including
freely distributed VoIP services and P2P networks.
Not having to rely on signatures to provide this level of
proactive security against threats and exploits is a big plus.
Arbor relies on its Active Threats Feed (ATF) to update the
Peakflow X database with the latest threat profiles -- fingerprints
of known behavior indicating botnets, host scanning and P2P.
Reporting: A
Peakflow X provides both automated and on-demand comprehensive
reporting through the Web interface. Existing templates are easy to
modify, and customized reports can be created with a few clicks
through the Web interface. Reports can be printed, emailed or
exported in .cvs and .pdf formats.
Our favorite reports were Top Talkers, a quick view of the most
active hosts, users, ports and TCP/UDP services on the network, and
Scan Correlation, which provides a comparative analysis of Peakflow
X data and imported Nmap scan data.
Verdict
Peakflow isn't cheap and requires an intimate understanding of data
flows, applications and network infrastructure, but the investment
will pay dividends in threat mitigation, and policy monitoring and
enforcement.
Testing Methodology
The Peakflow X Collector was deployed in our lab to gather Netflow
from Cisco and Juniper Networks' routers, and pass the data on to
the Peakflow X controller. After establishing a baseline for a
week's worth of network activity, we implemented policies and
generated anomalous traffic.
This product review originally appeared in the November 2006
edition of Information
Security magazine.