More than one in four U.S. financial institutions will purchase a network behavioral analysis system this year, according to Gartner. We think that's a believable projection--after all, in this post-TJX world, what you don't know about that's accessing your network can get you fired.
We put Mazu Networks' Profiler to the test in our Boston Real-World Partner Labs and were impressed with its ability to alert on suspicious traffic, though we would've liked more reporting on latency, and the GUI could use polish.
The magic behind NBA products, including Profiler, is the network flow technology found in switches and routers. Cisco helped pioneer the concept with its NetFlow packet flow analysis, based on the IPFIX open standard. NetFlow records provide information that can be used to manage availability and performance and to troubleshoot problems. Extreme Networks, Foundry Networks, and others use a similar open standard, SFlow, that differs from NetFlow primarily in the way data is collected. This Layer 3 network analysis is great for a general bird's-eye view of how your network is being used, but what about security? Today, clever worms and peer-to-peer applications can hop ports, even tunnel inside traffic deemed legitimate. To beat them at their own game, you can use port and/or VLAN mirroring to send a copy of the entire packet to an NBA system like the Mazu Profiler for analysis. This way, the unique characteristics of worms and P2P apps can be detected through deep inspection. The Profiler we tested can accept mirrored traffic at full interface speed via its dual Gigabit Ethernet interfaces. However, the remote office sensor sent for review was capped at a 45 Mbps sample rate--fine for flow analysis, but not fast enough for deep packet inspection.
TAKE A GOOD LISTEN
We placed the core Profiler collector appliance in a live production network comprising 30 edge switches and a core Layer 3 switch, all from Extreme. Before going live with our testing, we took advantage of Profiler's ability to import, in bulk, the management IP addresses of all switches and routers in our infrastructure. At the same time, we added all of the subnets on our internal network so Profiler could determine which address spaces exist inside and outside the core. Last, and most important, we let Profiler listen in on network activity for a couple of weeks to establish a baseline of normal behavior. Once the appliance has a general picture, we could turn up the device's heuristical analysis capabilities to get alerts on suspicious events.