PLAYER FUNDAMENTALS
For NBA products to work their magic, they need access to network traffic, either through flow data collection or via direct packet capture. Network flow data can best be described as metadata about a unidirectional sequence of packets that includes such information as time stamps for the start and finish of the flow, number of bytes and packets in the flow, source and destination IP addresses, source and destination ports, TCP flags if applicable, and IP information. There are several formats of network flow data; the three mainstream implementations--NetFlow, SFlow, and IPFIX, which is based on Cisco's NetFlow version 9--all are supported by the leading NBA vendors.
NBA products serve as collectors, receiving network flow data from switches and routers that they in turn process into meaningful information. With direct packet capture, the NBA system acquires network traffic directly from a switch or router using a SPAN port or network tap, and exports it into the equivalent of what would be received if the NBA product had simply grabbed network flow data. Going a step further, NBA systems also can leverage deep packet inspection through direct packet capture to flag attacks that couldn't be detected by monitoring only network flow data. This method also provides awareness of applications that may be piggybacking on other normal application ports.
A baseline of normal behavior is the core of NBA, but these systems also sport pattern-matching signatures to spot network scans, anomalous application behavior, and worms. NBA vendors recognize that customers like to have immediate feedback from security products when they flip the "on" switch, so pattern matching is available out of the box. Of course, the most value comes once a solid baseline is in place, but these take several days to a week to develop properly.
NBA PLAYBOOK
So, is NBA a fit for enterprises that already have IDS/IPS deployed throughout their corporate headquarters and branch offices, firewalls at the perimeter--maybe even around the data center--and a SIEM that promises insight into the goings-on of the enterprise infrastructure? Short answer, yes. It completes the network visibility picture, filling gaps left by other security systems and providing information about relationships among network hosts, including which are clients and which are servers; alerting on breaches of policy such as unauthorized use of peer-to-peer file sharing; and more.
With this network visibility should come the benefit of adding teeth to existing policies stating what is and isn't allowed within the corporate network, such as instant messaging and P2P. There are also business and regulatory requirements that require monitoring and tracking of all network activity back to the user responsible. To accomplish this, NBA products interface with user directories, such as LDAP and Microsoft Active Directory, in addition to DHCP and DNS. Leveraging identity information can make policies more powerful, too, by defining alerts if, say, a contractor account accesses a sensitive area of the network.
To be eligible for this Rolling Review, products must perform behavioral analysis of network traffic by monitoring through direct packet capture and network flow data. Entries should support at least NetFlow, IPFIX, and SFlow. Testing scenarios will include both a production network and lab environment. We will assess products based on:
We'll test NBA systems in our University of Florida Real-World Labs, using testing gear from Network Critical, by sending NetFlow traffic from core routers and switches in a production network. For direct packet capture, we'll connect a SPAN port to one core router, and we'll evaluate identity awareness using Microsoft Active Directory and several hosts running Windows XP and Vista. Test traffic will be generated by infecting machines with live malware, sharing and downloading files through P2P apps, and using IM software.
Arbor Networks, Lancope, Mazu Networks, NetQoS, Q1 Labs, and Sourcefire. For consideration, contact the author.
InformationWeek's Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings.
