EXCLUSIVE: Arbor Networks Peakflow X 3.7

In the rush to secure the network against external threats it's all too easy to forget that in most businesses the major security breaches come from the inside. Frequent reports highlight this as one of the biggest security issues now facing enterprises and Arbor Networks Peakflow X Networks aims to provide that all essential internal protection.

Classed as a network behaviour analysis solution, Peakflow X is designed to work alongside point solutions such as firewalls, IDS, IPS and anti-virus products. It uses a three-pronged approach to deliver proactive defenses against worms, protection against internal misuse of business resources and the ability to harden networks using features such as access control lists (ACLs). It's implemented as a rack mount appliance solution comprising a Controller and multiple Collectors. The Controller is located at the core of the network and gathers information passed to it by the Collectors which can be placed on the network wherever required.

The appliances are then left for a few days or weeks to monitor the network and gradually build up a picture of all hosts, how they interact with each other and general traffic flows. Peakflow X is designed primarily to work with Cisco, Juniper, Foundry and Extreme switches and routers as it supports NetFlow, cflowd and sflow but it can use standard packet capture and analysis on networks with different infrastructures.

Administrative access to the Controllers is via HTTPS and you'll be greeted by a well designed interface. Previous versions were not at all intuitive making them difficult to navigate but we found the latest interface much easier to get to grips with. Installation is very simple and you start by defining the address ranges of the internal networks to be monitored. Once Peakflow X has a clear idea of how the network functions normally it can then watch out for anomalous behaviour. The Controller maintains databases containing 'white-lists' of acceptable traffic and captures connection details allowing it to records sessions, or flows, between hosts.

In practice this is a simple yet very powerful solution as the appliance can easily identify dubious traffic and sessions which don't match conventional behaviour. Peakflow X records this information and can, if required, automatically generate new ACLs and rules to block this suspect traffic. However, PeakFlow X can act in a passive manner as many enterprise change management teams will not want a hardware appliance merrily implementing new access rules without their knowledge.

Peakflow X now has a few more strings to its bow as it also focuses heavily on botnets. These are now more prevalent as they can generate income by allowing operators to extract information from compromised systems and sell it on. The appliances can identify traffic such as that going to botnet command and control servers and tracks known IP addresses of these servers. This approach allows it to be work equally well with phishing as Peakflow X uses known IP addresses of phishing sites and will alert administrators if this traffic has been spotted. Arbor itself gathers information about these threats and downloads this information regularly to the Controller appliance.

The Dashboard provides a rundown on the top security threats along with live traffic graphs showing the traffic being generated by each identified security breach. Further down is a list of compromised systems where each one is given a weighted score to indicate the severity of the breach. A key feature of the Dashboard is it provides quick access to all features of Peakflow X from a single screen.

Arbor's ATLAS (active threat level analysis system) occupies the right-hand side of the Dashboard and is the result of agreements between Arbor and around 70 per cent of the world's ISPs where it uses its Peakflow SP products to provide visibility into more than three-quarters of global Internet traffic. This information is also freely available at http://atlas.arbor.net and provides global threat statistics and shows which countries they are originating from - the country descriptions have been provided by the CIA and make for interesting reading.

The behaviour of the Peakflow X systems is determined by policies containing multiple rules. System rules detect host and port scans along with flood attacks whilst ATF (active threat feed) rules use fingerprints to detect threats such as known malware, worms, botnet traffic, P2P protocols and web mail. User defined rules allow you to define traffic that you specifically want to watch. Peakflow X can also integrate with Active Directory and Novell's eDirectory allowing it to track users based on their login credentials.

Each rule is accompanied by a graph of traffic activity, a table showing the clients generating this traffic and audit trail updates. The More button alongside each rule explains what the traffic is, how Arbor detects it and how to create rules to block it. Rules can be used to send out alerts and these can be via email, SNMP trap or syslog entry. The Risk Index tab shows which hosts are causing the most problems and you can click on their IP address and see why the associated host has received this score, the alerts that have been activated by it and how the score has been calculated.

The Network section is a brand new feature which provides traffic graphs for the entire internal network plus details of the top interfaces on routers and switches. Selecting an interface shows more information on the hosts along with all related protocols and services. As you'd expect, reporting is extensive and Arbor provides a raft of predefined base reports that can be modified with filters. A handy Smart bar at the top of the interface provides options for exporting the report into PDF or CSV formats, emailing it or printing it and a scheduler is provided for running selected reports regularly.

Peakflow X is simple enough to deploy and configure and this latest version delivers even more essential network and security monitoring facilities. There are still a few minor rough edges but we did like the new web interface as despite the huge amount of information Peakflow X can generate it manages to make it very accessible allowing you to see at a glance where your biggest security problems are.

Email to a friend

Print this page