By Cameron Sturdevant  |  Posted 2006-02-20 Print this article Print

Arbor networks has added user-level tracking, SNMP polling and a handful of other features to Peakflow X, enhancing the internal IPS ability to assist network managers in hunting down troublesome or unauthorized network clients.

Released Jan. 11, Peakflow X 3.4, which costs $60,000, is a 2U (3.5-inch) appliance that sits in the network to monitor traffic. Because Peakflow X is part of the behavior anomaly detection family of internal intrusion prevention systems, it quietly monitors and "learns" what normal network operations look like. When an anomaly is detected—for example, when an end-user system accesses a particular server at an odd time—Peakflow X alerts network operations personnel.

But Peakflow X is the first internal IPS weve seen that combines network behavior anomaly detection with what amounts to signature-based detection tools.

In this version of Peakflow X, Arbor Networks has added ATF (Active Threat Feed), a service that provides Peakflow X policies created by Arbor Networks staff. We configured our Peakflow X system to look for new ATF data every hour. ATF policies, which are developed using Arbor Networks honey pots and service provider protection solutions, are provided as part of the service contract at no additional charge.

During the time we spent testing Peakflow X, the ATF policies we downloaded didnt specifically lead to the detection of any network attacks. However, a preconfigured ATF policy did bust a user who was trying to access forbidden (as configured on our test network, anyway) Yahoo Internet e-mail.

New in this version of Peakflow is the ability to identify nonconforming traffic down to the individual user.

Most internal IPS solutions weve seen have no trouble connecting bad traffic to individual machines, but we havent used one yet that provided user-level identification.

To use this feature, which works only when user data is stored in Microsofts Active Directory or when the user identification data is available from a DHCP (Dynamic Host Configuration Protocol) server, we installed Peakflow agent software on our Microsoft Windows Server 2003 Active Directory system.

The installation process created a service on the Windows server that initiated an encrypted connection to the Peakflow X appliance. Active Directory provided user-to-IP-address mapping that was then displayed in traffic reports on the Peakflow management system.

Although we dont think that user-level identification is so important that IT managers already using Peakflow X should immediately upgrade, we did see value in connecting user names to suspect network traffic. And the effort to get user details associated with network activity was minimal—we had the whole thing installed in less than 5 minutes.

We did, however, have a bit of confusion during installation when we had to import a digital certificate from the AuthX agent install into our Active Directory server to facilitate the encrypted connection.

Peakflow X should be considered a critical piece of the network management infrastructure, so the addition of SNMP management features is welcome. With Version 3.4 of Peakflow, we were able to keep tabs on general Peakflow X availability through our Hewlett-Packard OpenView NNM (Network Node Manager) console using SNMP traps.

This capability is especially important for Peakflow X operations because the product must be up and running continuously for its base-line and anomaly detection functions to work correctly. And, because Peakflow X is not an in-line device, it might not be readily apparent to operations staff if the appliance were to go down.

It took almost no time to add the Peakflow X appliance to our NNM console. In fact, Peakflow X fit neatly into our test network without requiring any reconfiguration of routes or network infrastructure equipment. Network operators will likely spend much more time on Peakflow X policies and network traffic reports than actually installing the device in the network.

However, like nearly all its competitors, Peakflow X requires a connection to a monitoring switch port or access to a mirroring network tap so that it can see all network traffic.

Similar to most network behavior analysis products, Peakflow X acts like a network traffic analyzer on steroids—it collects huge amounts of flow data about network activity.

We therefore appreciated the fact that the product allowed us to designate a variety of access levels to this sensitive data, allowing, for example, junior operators to see troubleshooting data without being able to modify the policies that generated the reports.

Next page: Evaluation Shortlist: Related Products.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel