Buyer's guide: New approaches to combating network secuity threats

Polymorphic malware is on the rise. Panda Security identified 25 million new strains of malware in 2009.

Polymorphic malware is on the rise - Panda Security identified 25 million new strains of malware in 2009. The permeable nature of perimeter network defences is now so widely recognised that even the US military admits it cannot secure its networks.

This admission of inadequacy has accompanied the emergence of networking companies that claim to address the challenge. But even conventional perimeter defenders have begun echoing the warning as they introduce their own solutions to the problem.

"We need to 'rethink the guards, gates and guns' approach to network protection," Greg Day, McAfee's director of security strategy, told a meeting of military defence analysts in March.

Since intruders are getting in, security suppliers are turning away from the perimeter and looking at the network to hunt them down.

 More guides to network security

In practice this means more sophisticated system scans because polymorphic intruders do not adhere to threat signatures. It also means sharing threat intelligence and more stringent defence testing. In short, better intelligence and more resilience. Here are two relatively new products that aim to tackle the new threat landscape in network security.

Breaking Point

Breaking Point introduced its Elite device in 2007 on the premise that networks were not resilient because they weren't sufficiently stress-tested.

It delivers simulated malicious and benign application traffic at speeds of up to 20gbps per Elite blade. Network and security suppliers such as Enterasys, Juniper, NetQos, and Stonesoft have begun using Elite to put products through their paces before they release them to market.

Elite has also been deployed by banks to test high-volume, high-risk customer systems. Denis Cox, chief technology officer and co-founder of Breaking Point, says an online retailer might use Elite to test the search function on its website.

The device would ensure the search works even at peak times when, say, the bank's servers were overloaded with encrypted credit card orders, and hordes of intrusion attempts were meanwhile being made on its network.

Other high-volume scenarios might involve a few million people visiting a website, or a thousand pub-goers all trying to watch a football game on their mobiles at the same time.

The traffic itself consists of application-layer data, simulating 90 application protocols and 4,200 belligerents, including viruses, botnets and DDoS attacks. Each blade can simulate 15 million simultaneous TCP sessions - 1.5 million per second. Traffic is sculpted to simulate various spreads of users: good, bad, housewives, office workers, using Blackberries or laptops, sending e-mails or watching television, even with specific meta data and actions.

Its software engine rests partly on a Netlogics XLR network processor of the sort used for the interception of network backbones by governments. Elite reverses its usual function, so it generates traffic instead of listening to it. Its magic ingredient is the chip that sits alongside the XLR. It was designed by Breaking Point to generate malicious traffic. Cox calls it the "antithesis of a network processor".


Before NetWitness introduced its network listening devices to the open market in 2007, the product had been used exclusively by government agencies.

The company's Decoder probes are now used in sensitive and wealthy sectors such as finance and transport to do near real-time analysis of network traffic at 1gbps. Probes are aggregated for fatter network pipes, up to 60gbps in one instance.

The technology's application for computer security extends beyond recording everything that travels through a network. Eddie Schwartz, chief security officer of NetWitness, says its power comes from the traffic index it generates on the fly.

NetWitness Decoders index at least 100 items of meta data for each data stream and dumps them locally with the actual traffic on stores up to 220Tbytes. They produce threat alerts by comparing traffic with aggregated threat reports and pre-defined rules such as sessions linking to competitors' domains, or keywords used in internet relay chat.

Schwartz says he hooked a Decoder up for one customer (though no NetWitness customers will talk publicly) as a proof of concept and left it running overnight. By morning a leak of 65Mbytes had been exposed.

It had been leaking like that for 12 months.

The Decoder stores are collated for retrospective analysis on other NetWitness devices so threats can be flushed out when alerts come from other sources. A security operator might, for example, search for all users who had accessed websites in Leeds in a given period.

Drilling down further, the operator could find all Leeds sessions that involved the transfer of an executable file. The files could be examined and the full session recreated either side of the incident so that the operator could see exactly what the user saw, what data was transferred, from where, to where, and with what consequences.

Photo credit: Dan Talson/Rex Features

Read more on Network hardware