EXCLUSIVE: Arbor Networks Peakflow X 3.7

In the rush to secure the network against external threats it's all too easy to forget that in most businesses the major security breaches come from the inside. Frequent reports highlight this as one of the biggest security issues now facing enterprises and Arbor Networks Peakflow X Networks aims to provide that all essential internal protection.

Classed as a network behaviour analysis solution, Peakflow X is designed to work alongside point solutions such as firewalls, IDS, IPS and anti-virus products. It uses a three-pronged approach to deliver proactive defenses against worms, protection against internal misuse of business resources and the ability to harden networks using features such as access control lists (ACLs). It's implemented as a rack mount appliance solution comprising a Controller and multiple Collectors. The Controller is located at the core of the network and gathers information passed to it by the Collectors which can be placed on the network wherever required.

The appliances are then left for a few days or weeks to monitor the network and gradually build up a picture of all hosts, how they interact with each other and general traffic flows. Peakflow X is designed primarily to work with Cisco, Juniper, Foundry and Extreme switches and routers as it supports NetFlow, cflowd and sflow but it can use standard packet capture and analysis on networks with different infrastructures.

Administrative access to the Controllers is via HTTPS and you'll be greeted by a well designed interface. Previous versions were not at all intuitive making them difficult to navigate but we found the latest interface much easier to get to grips with. Installation is very simple and you start by defining the address ranges of the internal networks to be monitored. Once Peakflow X has a clear idea of how the network functions normally it can then watch out for anomalous behaviour. The Controller maintains databases containing 'white-lists' of acceptable traffic and captures connection details allowing it to records sessions, or flows, between hosts.

In practice this is a simple yet very powerful solution as the appliance can easily identify dubious traffic and sessions which don't match conventional behaviour. Peakflow X records this information and can, if required, automatically generate new ACLs and rules to block this suspect traffic. However, PeakFlow X can act in a passive manner as many enterprise change management teams will not want a hardware appliance merrily implementing new access rules without their knowledge.

Peakflow X now has a few more strings to its bow as it also focuses heavily on botnets. These are now more prevalent as they can generate income by allowing operators to extract information from compromised systems and sell it on. The appliances can identify traffic such as that going to botnet command and control servers and tracks known IP addresses of these servers. This approach allows it to be work equally well with phishing as Peakflow X uses known IP addresses of phishing sites and will alert administrators if this traffic has been spotted. Arbor itself gathers information about these threats and downloads this information regularly to the Controller appliance.

The Dashboard provides a rundown on the top security threats along with live traffic graphs showing the traffic being generated by each identified security breach. Further down is a list of compromised systems where each one is given a weighted score to indicate the severity of the breach. A key feature of the Dashboard is it provides quick access to all features of Peakflow X from a single screen.