Review: Arbor Networks' Peakflow X 3.6

Peakflow X 3.6
Arbor Networks
Price: Controller hardware starts at $42,000; Collector hardware ranges from $18,000 to $76,000, depending on configuration

Arbor Networks' Peakflow X 3.6 is a powerful behavior-based flow analysis tool that empowers enterprises to protect the inside of their perimeter from zero-day exploits, worms, spyware, phishing, pharming and botnets, as well as from employee abuse and theft.

Peakflow includes two rack-mounted server appliances running a proprietary hardened OpenBSD-based OS, with support for both Cat V copper and fiber Gigabit Ethernet ports. The collector gathers and analyzes flow either directly at the router level (NetFlow, sFlow) or by capturing packets on the network. The collector passes data to the controller, which builds a comprehensive view for trending and reporting, and stores information for regulatory compliance.

Configuration/Management: B
Between the quick start card, setup wizard and excellent documentation, it wasn't too difficult getting both the controller and collector up and running through Arbor's secured browser-based interface.

A word of caution: Complex corporate environments have many types of data flows depending on user group. Taking full advantage of Peakflow's advanced capabilities requires an in-depth knowledge of these data flows and how they relate to internal applications and network infrastructure.

Policy Control: A
The usual problem with most intrusion detection and prevention systems are false positives hampering legitimate network traffic. Peakflow X examines relationships between network objects that regularly communicate with each other and builds a policy based on normal flow behavior, greatly reducing false positives on legitimate traffic.

Policy can be applied at the network level to hosts, servers, IP addresses, ports and protocols, as well as through relational modeling between different segments such as the access to Web services and FTP. Administrators can also define policy on a case-by-case basis according to alerts and violations as they occur for extremely granular tuning.

Effectiveness: A
We threw multiple common internal threats -- rogue wireless access points, network worms and spyware -- at Peakflow X, in addition to implementing user restrictions. In each instance, the product successfully detected and responded to the anomalous behavior.

In addition to detection, Peakflow X can provide automated response to selected threats or policy violations through Check Point Software Technologies' firewalls or on Cisco Systems' 6000 series switches.

We set policies that monitored and reported on acceptable port objects, such as corporate VoIP applications and streaming media, while identifying and blocking ones that were forbidden, including freely distributed VoIP services and P2P networks.

Not having to rely on signatures to provide this level of proactive security against threats and exploits is a big plus. Arbor relies on its Active Threats Feed (ATF) to update the Peakflow X database with the latest threat profiles -- fingerprints of known behavior indicating botnets, host scanning and P2P.

Reporting: A
Peakflow X provides both automated and on-demand comprehensive reporting through the Web interface. Existing templates are easy to modify, and customized reports can be created with a few clicks through the Web interface. Reports can be printed, emailed or exported in .cvs and .pdf formats.

Our favorite reports were Top Talkers, a quick view of the most active hosts, users, ports and TCP/UDP services on the network, and Scan Correlation, which provides a comparative analysis of Peakflow X data and imported Nmap scan data.

Verdict
Peakflow isn't cheap and requires an intimate understanding of data flows, applications and network infrastructure, but the investment will pay dividends in threat mitigation, and policy monitoring and enforcement.

Testing Methodology
The Peakflow X Collector was deployed in our lab to gather Netflow from Cisco and Juniper Networks' routers, and pass the data on to the Peakflow X controller. After establishing a baseline for a week's worth of network activity, we implemented policies and generated anomalous traffic.

This product review originally appeared in the November 2006 edition of Information Security magazine.