Back to Page 1: RSA: Securing the Network

Fortinet: Behavioral Baselining to Backstop Firewall Rules

Over at Fortinet's booth, we met with VP Patrick Bedwell and Senior Security Strategist Derek Manky to discuss FortiOS 4.0 MR3 enhancements. This OS powers FortiGate network security appliances; this quarter's release adds active profiling, flow-based inspection, and a firewall-embedded WLAN controller.

Flow-based inspection gives Fortinet customers a middle-ground between stateful packet inspection speed and application proxy depth. For example, a customer looking to enforce DLP rules will be able to spot patterns in egress packet flows, without having to run affected apps through proxies. This alternative improves performance, said Manky, by using less memory and leveraging hardware acceleration.

Better yet, customers will now be more easily detect deviations from base-lined behavior, because 4.0 will automatically profile traffic. By proactively documenting normal connectivity, bandwidth, and app/web usage, appliances can establish the context needed to spot sudden changes. "For example, we'll be able to see an authorized user doing an authorized thing, but from an unusual endpoint location," said Manky. This might block botnet C&C communication that otherwise slips through open ports.

Stonesoft: Battling Advanced Evasion Techniques

Behavioral analysis and IPS are tricky technologies, constantly striving to balance not just performance, but false positives versus false negatives. To that end, Stonesoft chose RSA to announce it had discovered 124 Advanced Evasion Techniques (AETs). According to Product Marketing Director Matt McKinley, Stonesoft supplied AET packet captures to the Computer Emergency Response Team (CERT-FI), responsible for global vulnerability coordination effort.

"Most network IPS's are pretty good at spotting single evasions but we found that, if you mix multiple evasion techniques in the same packet, they get confused. We've tested all IPS products in Gartner's Magic Quadrant, and all are vulnerable to these Advanced Evasion Techniques," said McKinley. The deficiency appears to be in how security products attempt to normalize traffic for signature comparison and behavioral analysis.

"Some cases at least generated log entries [corresponding to AET receipt]. But others just got confused and let packets or fragments right through," he said. Affected vendors are still working on responses, but Stonesoft does not believe new signatures can defeat these AETs. "This really needs to be addressed by improvements in normalization. Particularly when deployed at the perimeter, maybe IPS needs to take a performance hit to optimize normalization," argued McKinley.

Ixia: Assessing Network and Cloud Vulnerabilities

Researchers that discover new vulnerabilities need powerful security test tools. While at RSA, we visited with IP network test system vendor Ixia to hear about their foray into very-large-scale network and cloud service vulnerability assessment.

Dubbed IxLoad-Attack, Ixia's newest product builds on roughly 6000 published vulnerabilities to generate malicious traffic at very high volumes to exploit security flaws. According to Senior Marketing Evangelist Dave Schneider, IxLoad-Attack uses stateful emulation to simulate not just individual exploits, but DDoS attacks on a city-scale, helping network equipment manufacturers and security product vendors to harden their wares.

However, traffic that enters or exits any cloud infrastructure – be that a large data center or a carrier's network – is increasingly encapsulated by secure tunnels. For example, IPsec is used extensively throughout 3G and LTE carrier networks; to harden such offerings, they must be subjected to simulated attacks in large numbers. To do so, IxLoad-Attack can be paired with IxLoad-IPsec, wrapping generated traffic inside IPsec or SSL/TLS wrappers as appropriate for a given test case. "Equipment manufacturers, service providers, and enterprises all need to test their solutions continuously to verify their security mechanisms are keeping pace with threats," said Schneider.

Lancope: Expanding Network Flow Visibility

Finally, we capped our RSA briefings by sitting down with Lancope Product Manager Joe Yeager to chat about StealthWatch 6.0. Lancope initially carved out a name in the Network Behavior Analysis (NBA) market, but then morphed into network performance through extensive use of NetFlow.

StealthWatch is a product suite that collects and analyzes flow data supplied NetFlow and sFlow-enabled network elements (e.g., routers, switches). From a security perspective, flow data can be used for forensic analysis, anomaly detection, or compliance auditing. Release 6.0 adds geographic awareness, identity awareness, and layer 7 awareness to flow-based behavioral analytics.

"Consumerization changes what you need to monitor for," said Yeager. "Today, you need to visualize what's happening inside your network, not just at the perimeter. [With 6.0], we can use relational flow maps to visualize data flows and relationships between sources and destinations – including application-specific buckets that drill down to see what composes a flow in real-time. For identity awareness, we can watch login/logoff traffic to map flows to ActiveDirectory user names." In short, these enhancements pull NetFlow up a notch, helping to answer those "who" and "what" questions that so often lie behind a security incident or unexpected bandwidth spike.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 29-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.

Back to Page 1: RSA: Securing the Network