Arbor networks has added user-level tracking, SNMP polling and a handful of other features to Peakflow X, enhancing the internal IPS ability to assist network managers in hunting down troublesome or unauthorized network clients. Released Jan. 11, Peakflow X 3.4, which costs $60,000, is a 2U (3.5-inch) appliance that sits in the network to monitor traffic. Because Peakflow X is part of the behavior anomaly detection family of internal intrusion prevention systems, it quietly monitors and "learns" what normal network operations look like. When an anomaly is detectedfor example, when an end-user system accesses a particular server at an odd timePeakflow X alerts network operations personnel.But Peakflow X is the first internal IPS weve seen that combines network behavior anomaly detection with what amounts to signature-based detection tools. In this version of Peakflow X, Arbor Networks has added ATF (Active Threat Feed), a service that provides Peakflow X policies created by Arbor Networks staff. We configured our Peakflow X system to look for new ATF data every hour. ATF policies, which are developed using Arbor Networks honey pots and service provider protection solutions, are provided as part of the service contract at no additional charge. During the time we spent testing Peakflow X, the ATF policies we downloaded didnt specifically lead to the detection of any network attacks. However, a preconfigured ATF policy did bust a user who was trying to access forbidden (as configured on our test network, anyway) Yahoo Internet e-mail. New in this version of Peakflow is the ability to identify nonconforming traffic down to the individual user. Most internal IPS solutions weve seen have no trouble connecting bad traffic to individual machines, but we havent used one yet that provided user-level identification. To use this feature, which works only when user data is stored in Microsofts Active Directory or when the user identification data is available from a DHCP (Dynamic Host Configuration Protocol) server, we installed Peakflow agent software on our Microsoft Windows Server 2003 Active Directory system. The installation process created a service on the Windows server that initiated an encrypted connection to the Peakflow X appliance. Active Directory provided user-to-IP-address mapping that was then displayed in traffic reports on the Peakflow management system. Although we dont think that user-level identification is so important that IT managers already using Peakflow X should immediately upgrade, we did see value in connecting user names to suspect network traffic. And the effort to get user details associated with network activity was minimalwe had the whole thing installed in less than 5 minutes. We did, however, have a bit of confusion during installation when we had to import a digital certificate from the AuthX agent install into our Active Directory server to facilitate the encrypted connection. Peakflow X should be considered a critical piece of the network management infrastructure, so the addition of SNMP management features is welcome. With Version 3.4 of Peakflow, we were able to keep tabs on general Peakflow X availability through our Hewlett-Packard OpenView NNM (Network Node Manager) console using SNMP traps. This capability is especially important for Peakflow X operations because the product must be up and running continuously for its base-line and anomaly detection functions to work correctly. And, because Peakflow X is not an in-line device, it might not be readily apparent to operations staff if the appliance were to go down. It took almost no time to add the Peakflow X appliance to our NNM console. In fact, Peakflow X fit neatly into our test network without requiring any reconfiguration of routes or network infrastructure equipment. Network operators will likely spend much more time on Peakflow X policies and network traffic reports than actually installing the device in the network. However, like nearly all its competitors, Peakflow X requires a connection to a monitoring switch port or access to a mirroring network tap so that it can see all network traffic. Similar to most network behavior analysis products, Peakflow X acts like a network traffic analyzer on steroidsit collects huge amounts of flow data about network activity. We therefore appreciated the fact that the product allowed us to designate a variety of access levels to this sensitive data, allowing, for example, junior operators to see troubleshooting data without being able to modify the policies that generated the reports. Next page: Evaluation Shortlist: Related Products.