Rolling Review Kickoff: The Other NBA

Network behavior analysis systems promise to defend your network against unknown attacks. We'll put these claims to the test.

John Sawyer

April 2, 2008

8 Min Read
Network Computing logo

When mapping a defensive game plan, it helps to scout out what the other team is up to. But the unfortunate reality for IT security pros is that the next attacker could be anyone from a script kiddie to a crime syndicate to a malicious insider, and possible vectors are even more diverse. Yet the intrusion-detection and intrusion-prevention systems many enterprises employ in response to all this uncertainty suffer from the same weakness that's plagued antivirus products for years--a reliance on signatures.

Antivirus vendors realized early on that to stay competitive, they had to develop techniques to enable their products to identify suspicious traffic, even if they hadn't seen that particular activity before. The answer was heuristics and behavioral analysis methods that detect files and processes that behave in ways deemed threatening. In the network security realm, researchers and vendors such as Lancope and Mazu Networks developed systems that use behavioral analysis rather than signatures. Over the past few years, this category has matured from a niche market that was tagged with several unfortunate acronyms, including NBAD (network behavior analysis and detection) and NADS (network anomaly detection systems), before settling on NBA, or network behavior analysis.

InformationWeek Reports

In essence, these vendors provide the missing piece--behavioral detection--to the IDS world that antivirus vendors discovered was a necessity more than a decade ago.

Most enterprises can benefit from NBA, since most are missing security events of interest because of overwhelming bandwidth or a lack of pervasive visibility. But as with any product that interacts closely with your network and impacts security--and especially one that costs as much as most NBA systems--a proper fit is crucial.

We decided to launch a Rolling Review to help you ensure that the NBA product you're considering will integrate with your current IDS, vulnerability scanner, and security incident and event manager (SIEM) while handling your throughput needs. We've invited six vendors to send products to our University of Florida Real-World Labs. See "Network Behavior Analysis Rolling Review" for more testing details.

Pure-play NBA vendors initially focused on network security because, simply put, they were good at it. Once their systems create a baseline of what normal network behavior looks like, they can detect anomalous activities. For example, say a desktop computer whose daily actions comprise Web browsing, access to network shares, and e-mail traffic suddenly begins accepting connections on TCP port 65500 or starts communicating on UDP port 17028 with hundreds of other hosts around the world. An NBA system would fire off an e-mail to the security team about the sudden change, maybe even implement a firewall ACL or disable the switch port to prevent collateral damage.



Locking down the network is vital, but so is securing data whenever and however it's accessed.

Download this
InformationWeek Report

>> See all our Reports <<

Because NBA requires an intimate understanding of an enterprise's unique traffic patterns, it's a natural fit for vendors to add network performance monitoring features ranging from simple functions, like identifying top talkers, to more advanced reporting to assist with network optimization and planning. Essentially, this feature set is why NBA vendors promise both network and security teams visibility that they've previously not possessed, including alerts when new hosts appear on the network and the ability to find where bottlenecks exist and tie users directly to their network traffic flows.

Smelling an opportunity for expansion into a prospering space, network performance vendors including NetQoS are busily adding NBA capabilities to their product lines. While security-focused individuals and vendors claim NBA as part of a comprehensive security strategy, these network performance vendors tout the technology as a natural extension of yesterday's network management systems. For example, Steve Harriman, NetQoS's VP of marketing, says NBA is key to optimizing networks for application performance.

No matter which viewpoint you favor, enterprise IT groups are the ultimate winners: More competition in the NBA market from vendors with different perspectives means abundant new features and lower prices.

diagram: All Eyes On The Network -- Network behavior analysis provides visibility throughout an enterprise network by analyzing NetFlow data from switches and routers. To provide equivalent insight via an intrusion-detection system, you'd need an IDS on every network node to grab all data packets—a pricey proposition. Putting an IDS only at major choke points reduces cost, but at the expense of visibility.PLAYER FUNDAMENTALS
For NBA products to work their magic, they need access to network traffic, either through flow data collection or via direct packet capture. Network flow data can best be described as metadata about a unidirectional sequence of packets that includes such information as time stamps for the start and finish of the flow, number of bytes and packets in the flow, source and destination IP addresses, source and destination ports, TCP flags if applicable, and IP information. There are several formats of network flow data; the three mainstream implementations--NetFlow, SFlow, and IPFIX, which is based on Cisco's NetFlow version 9--all are supported by the leading NBA vendors.

NBA products serve as collectors, receiving network flow data from switches and routers that they in turn process into meaningful information. With direct packet capture, the NBA system acquires network traffic directly from a switch or router using a SPAN port or network tap, and exports it into the equivalent of what would be received if the NBA product had simply grabbed network flow data. Going a step further, NBA systems also can leverage deep packet inspection through direct packet capture to flag attacks that couldn't be detected by monitoring only network flow data. This method also provides awareness of applications that may be piggybacking on other normal application ports.

A baseline of normal behavior is the core of NBA, but these systems also sport pattern-matching signatures to spot network scans, anomalous application behavior, and worms. NBA vendors recognize that customers like to have immediate feedback from security products when they flip the "on" switch, so pattern matching is available out of the box. Of course, the most value comes once a solid baseline is in place, but these take several days to a week to develop properly.

Impact Assessment: Network Behavior Analysis

(click image for larger view)

So, is NBA a fit for enterprises that already have IDS/IPS deployed throughout their corporate headquarters and branch offices, firewalls at the perimeter--maybe even around the data center--and a SIEM that promises insight into the goings-on of the enterprise infrastructure? Short answer, yes. It completes the network visibility picture, filling gaps left by other security systems and providing information about relationships among network hosts, including which are clients and which are servers; alerting on breaches of policy such as unauthorized use of peer-to-peer file sharing; and more.

With this network visibility should come the benefit of adding teeth to existing policies stating what is and isn't allowed within the corporate network, such as instant messaging and P2P. There are also business and regulatory requirements that require monitoring and tracking of all network activity back to the user responsible. To accomplish this, NBA products interface with user directories, such as LDAP and Microsoft Active Directory, in addition to DHCP and DNS. Leveraging identity information can make policies more powerful, too, by defining alerts if, say, a contractor account accesses a sensitive area of the network.

Network Behavior Analysis Rolling Review

The Invitation

To be eligible for this Rolling Review, products must perform behavioral analysis of network traffic by monitoring through direct packet capture and network flow data. Entries should support at least NetFlow, IPFIX, and SFlow. Testing scenarios will include both a production network and lab environment. We will assess products based on:

  • Network performance reporting; detection and classification of malicious behavior; host and server discovery; and alerting on unauthorized traffic as defined by policy, such as P2P and instant messaging.

  • Management and configuration, including the ability to integrate with existing network and security systems.

  • Extended feature set, including application awareness (Layer 7 decoding), identity management, remediation capabilities, and troubleshooting.

  • Reporting through dashboard, integration with SIEM, and other methods.

  • Price as tested.

The Test Bed

We'll test NBA systems in our University of Florida Real-World Labs, using testing gear from Network Critical, by sending NetFlow traffic from core routers and switches in a production network. For direct packet capture, we'll connect a SPAN port to one core router, and we'll evaluate identity awareness using Microsoft Active Directory and several hosts running Windows XP and Vista. Test traffic will be generated by infecting machines with live malware, sharing and downloading files through P2P apps, and using IM software.

The Vendors

Arbor Networks, Lancope, Mazu Networks, NetQoS, Q1 Labs, and Sourcefire. For consideration, contact the author.


InformationWeek's Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings.

Find more Rolling Reviews, past and present

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights