Introduction
Detecting and preventing intrusion with deep packet analysis and forensics
Today's enterprise organizations rely on digital assets that must be protected from unauthorized access or dispersion. The costs of data leakage are well documented and include not only loss of value, intellectual property and customers, but also government sanctions and fines for noncompliance to data privacy regulations. A complete deep packet capture, record and playback solution from Solera Networks ensures that the source of data leaks are quickly identified, stemming the loss of data.
With easy packet level reconstruction of all of the traffic on your network, you now have context for what happened before, during and after every security alert.
A capture appliance from Solera Networks gives all of your securtiy tools, whether they be Intrusion Detection, Intrusion Prevention, or Firewalls, full context into what has happenned on your network.
Network Security »Intrusion Detection
"In the first two months of this year [2007], phishing attacks grew by 50% and malware attacks dramatically increased by 200%," according to a study from Cyveillance, a risk monitoring company in Arlington, Va. Company analysts reported that phishing attacks were increasing wildly during the past year, with most large financial institutions and a growing number of small- to medium-sized financial institutions targeted. (Source: "Identity Theft Driven By Dramatic Spikes in Threats", InformationWeek, March 28, 2007)
In December 2006, the average number of URLs detected with malware averaged less than 20,000 on a daily basis. By February of this year [2007], the average had grown to about 60,000 sites daily.
Over 40 percent of all businesses are suffering disruptions due to malware; Over 60 percent don't have an information security strategy; 4.2 million of 250 million websites around the world harbor malware.
Symantec recently published research showing that online security attacks are at an all-time high.
The total number of malicious programs was up 41% from 2005 to 2006. The growth of Trojans in particular jumped 46% in the same time period.
Even companies that have a state-of-the-art Intrusion Detection System (IDS) installed need to consider whether it is robust and effective without full packet capture and storage capability. Analysts believe that sometime during 2003, the development of malware moved from hobbyist hackers to the domain of organized crime with well-funded development teams in foreign countries. More resources, labor and talent are being directed at ways to penetrate and pilfer any information that can be exploited for financial gain.
If an organization is at risk, there are multiple options for protection but one of the first steps should be installing a comprehensive network surveillance system. In today's world, 'slow hacks" are becoming increasingly more prevalent and the only way to effectively identify and intercept these kinds of attacks is to have a comprehensive view of historical traffic. Only Solera Networks offers the industry's most robust network packet record and playback technology to support any intrusion detection solution for complete Root Cause Discovery (RCD). With RCD, network administers can be assured that any intrusion, no matter how subtle, can be identified, traced, and ultimately prevented.
Solera Networks' packet capture and playback devices provide a captured packet history platform (with near instantaneous high-speed playback) for intrusion detection, analysis and prevention. As an open system, Solera Networks technology works with all standard IDS solutions for discovery, alerting, blocking, and forensics. With a complete record of network traffic, an organization can perform deep packet analysis and forensics to discover potential patterns and intrusion mechanisms. And, as a near-line capture device, intrusion detection activities do not impact network performance. Companies now have a complete view of their traffic instead of a sample. Much like a video of an event is more accurate and complete than a photograph, the Solera Networks appliance allows organizations to capture all network traffic, ensuring that a complete view of the network is always available.
Malware continues to multiply and diversify at an alarming rate. Preventative solutions, such as signature checking, are becoming more difficult because of the latency between intrusion discovery and prevention rollout. This is especially true with evolving zero-day flaws that circumvent the traditional signature-based security products.
Trojans, while once thought to be on the decline, are making a comeback, but this time as precision attacks to specific targets in low volumes to avoid detection by traffic monitors. Particularly dangerous are stealth Trojan attacks that install key-stroke or screen scraping software used for industrial espionage and targeting of consumer bank and insurance information.
Port scans are a constant threat, utilizing intrusion programs that systematically sequence through ports or flood several ports with large numbers of TCP connection requests. Other threats include 'unfriendly fingering", unauthorized telnet or FTP transfers, and attempts to download password files or access restricted areas.
New intrusion attacks are multi-prong or hybrid using combinations of viruses, worms and denial-of-service to gain access to valuable information. Indeed, some malware directly targets standard open-source and commercial IDS solutions causing the IDS to exhaust resources and fail or scramble log files.
Combining all of these malware types with various processes for intrusion detection and the sheer computing power required for an effective solution becomes unwieldy. Typical in-line network intrusion detection systems fail when they reach the limit of packets that network intrusion detection sensors can accurately analyze over a given period of time. In effect, the more a network is analyzed for intrusion (i.e., increasing the number of agents and/or increasing the sophistication of the analysis), the less effective the network becomes. In other words, the higher the network traffic level and the more complex the analysis, the higher the number of misses, false positives or errors.
A shortcoming of many IDS solutions is that logging and packet histories are not recorded until an alert is triggered. As a result, much of the relevant information about the event that generated the alert is not recorded. A 100% packet capture solution eliminates this problem by providing a lossless historical record of all packet traffic on a given network segment, ensuring that all important events have been recorded and can be re-created, even if they would not have triggered an alert.
With the evolving nature of intrusion threats, no single IDS solution is adequate—at least for very long. New Internet technology, better organized and financed malware developers, and the increasingly distributed nature of most company networks practically ensure that intrusion threats will be persistent and of increasing sophistication. Thus, methods for prevention must continue to evolve in sophistication and complexity. However, the ongoing implementation of these systems must not interfere with or impact system resources for production networks.
With this evolving threat, the need for complete and accurate network packet traffic, without impacting production network performance, is critical. Whether used for real-time monitoring and prevention or as a historical repository for tracking and forensics, the need for deep packet analysis on a platform that is robust, open, and cost effective is crucial to effective and efficient intrusion detection.
« Introduction || Why Solera »Why Solera Networks?
Solera Networks' line of network forensics devices are industry-best in everything from performance to openness to versatility. As a powerful key component for any network forensics strategy, Solera Networks devices are designed from the ground up with the following features:
Speed & performance
Few capture devices actually capture ALL network traffic, including payload. Solera Networks' devices have the industry's highest line capture rates (up to 8.1Gbps with configurations available for full 10Gbps). Capture is comprehensive (entire stream), lossless, and based on Solera Networks' proprietary and patented file system.
Playback for analysis is possible at full-line rate within 1 microsecond of capture. This provides the advantage of near real-time analysis without any network impact. This architecture eliminates the overhead associated with running network monitoring tools directly on the production environment. Instead of expensive server-logging or added bandwidth to support traffic monitoring, traffic is replayed to a separate analysis segment for multiple tools analysis (see diagram). And because the Solera Networks appliance supports multiple regenerated streams concurrently, businesses can now have Intrusion Detection, Network Management, and Data Leakage Protection solutions reviewing identical traffic without fear of network degradation.
Security
Solera Networks' proprietary encryption satisfies chain-of-custody evidentiary rules regarding the manner in which data is captured and stored. Solera Networks captures data and streams it to storage in a format that can't be altered. Proprietary on-disk formats mean that any attempt to edit, alter, or otherwise modify will be evident. Moreover, Solera Networks' devices can be configured to have no IP address, making them invisible to the network they reside on. Simply connect to a port and listen passively.
Openness
Solera Networks' captured data can be made accessible to various intrusion detection systems. Captured network traffic can be exposed to external appliances and devices utilizing three primary methods: a VFS (virtual file system) exposing pcap formatted files, a virtual network interface (Ethernet) device, or a regenerated stream of packets to external network segments feeding external appliances or applications. Solera Networks also integrates with iSCSI and Fibre Channel, providing a myriad of options for external storage.
Scalable
Recording capacity is scalable for the largest of operations with the ability to store up to 240TB of data on Solera Network archive appliances, or limitless external storage. Additionally, Solera Networks can capture up to ten different ports, enabling consolidation or expansion of monitoring operations across multiple segments. This support includes the ability to consolidate asymmetrically routed traffic flows. And finally, Solera Networks' unique file storage and caching mechanisms provide for continuous recording with newest data overwriting oldest data, eliminating problems of storage overflow.
Multiple options to fit any size organization
Simple
Simply plug in and turn on. Solera Networks devices connect to your network via copper or SX fiber cables using either a SPAN (switched port analyzer – port mirror) port or a network TAP. A built-in web-based interface guides you through setup with capture/playback filters and allows you to specify time periods and session filters based on filtering or monitoring policies.
Versatile
Network Security is only one area where Solera Networks solutions have been effectively implemented. With full capture and playback capabilities combined with other market offerings, Solera Networks can provide a comprehensive historical engine for network management, lawful intercept, and forensics and analysis. In addition to detecting and preventing intrusions Solera Networks solutions can be used for reconstructing communications (browser sessions, phone calls with VOIP, instant messages or email) and determine sources of high bandwidth use or erratic activity.
« Network Security || How it Works »How it works
Solera Networks solutions are comprehensive, network forensics devices. In short, they record all traffic on a network and make it available for near- immediate playback. It's like a digital video recorder (DVR) or TiVo™ for a network, but instead of being limited to recording one or two channels it can record all 500 channels simultaneously. All channels are available for playback—or—just a few (i.e., only email between two target points, only VoIP sessions, or any combination of protocols).
As a platform for network security, Solera Networks devices store a complete dynamic model of your network traffic with slow or fast play that works with all standard intrusion detection solutions allowing you to scour single packets or packet streams for anomalies or known malicious code. The following are examples of intrusion detection solutions:
Snort is free, open-source intrusion detection software that integrates easily with Solera Networks devices. Snort features include protocol analysis, content searching/matching and can be used to detect anomalies such as CGI attacks, SMB probes, buffer overflows, stealth port scans, OS fingerprinting and more. Snort's architecture accommodates plugins and includes a flexible rules language.
Available from Network General, Sniffer Portable software provides the ability to track and analyze application protocols such as Oracle, Sybase and Microsoft SQL Server databases, common email applications and SAP R/3.
Other Proprietary and Open-source applications—Hundreds of open-source tools are available such as OSSEC HIDS, Fragroute, BASE and Sguil.
Using Solera Networks devices, packet information can be filtered by VLAN, TCP/IP version (IPv4 or IPv6), MAC address, protocol or port (i.e. HTTP or SMTP), IP Address or IP network or subnet (ie. 67.137.0.0/16 or 192.168.0. or 192.168.0.1). Data can be further defined by time domain.
A sample implementation for intrusion detection using Solera Networks' DS appliances would have the following architecture:
Benefits of a Solera Networks-enabled intrusion detection solution
Full information surrounding security incidents is critical to completely documenting when breaches occurred, methods of penetration, and in discovering and preventing similar activities. Having a complete record of all network activity provides the ability to trace communications as well as dive deep for malware signatures and behavior patterns. Good evidence provides proof as well as streamlines prevention and remediation tasks.
Intrusive offenses cost organizations money. Not only can companies lose productivity, customers, and revenue, but reputations and years of goodwill are put at risk. Network downtime disables employees and can frustrate or hinder customers and partners from carrying out basic business activities. In addition, intrusions that lead to leakage of sensitive, personal or financial information can easily violate government security policies or regulatory compliance, exposing your organization to sanctions or fines.
Solera Networks solutions help deter intrusions in two ways. First, knowledge that a comprehensive network monitoring solution is in place—whether it is internal, at the firewall or located throughout the Internet at various ISPs—is a form of deterrence. The ability to capture and save all traffic for further in-depth and exhaustive analysis provides an "all-seeing" window to perpetrators activities and methods. Second, with all intrusion analysis being performed on a replica of network activity, accountability is increased because hypotheses can be proved and illegal activities pinpointed without any indication that monitoring has taken place. Intrusion activities can be observed and positively identified before perpetrators are aware, making the risk of engaging in such activities much greater than it would be otherwise.
« Why Solera || Conclusion »Conclusion
In summary, Solera Network's scalable packet capture and playback devices, combined with one or more of the industry's intrusion detection software solutions, provide the best foundation possible for vigorous intrusion prevention. Deep packet capture capabilities on the industry's most powerful, scalable and secure platform will enhance any intrusion detection/prevention system.
Contact
For more information on how you can rapidly implement an intrusion detection solution using Solera Networks products, please visit our website at www.SoleraNetworks.com or call us at 801-623-5705.
« How it Works