Arbor Attacks Worms

Startup Arbor Networks Inc. has beefed up its security offering with a new product designed to help data center managers combat the threat of worm attacks.

Worm attacks are a particular menace to businesses because they are extremely hard to detect -- exploiting parts of an operating system that are often invisible to the user. In many cases a user may only notice a worm when it causes a system slowdown.

To make matters worse, worms actually mimic normal business traffic on the network, making it difficult to prevent the worm propagating without stopping legitimate traffic.

There is also the major challenge of dealing with unforeseen attacks. Many worms fall into the category of "zero-day" attacks, which means that they can potentially infect computers before anti-virus products can react (see Security Approaches Day Zero).

Arbor Networks’ Peakflow X 3.0 software, unveiled today, does not use a specific signature to identify the worm. Instead, it uses hardware and software to anlayze the relationship between hosts on the network and identify whether anything has been infected by a worm. These hosts could be, for example, a PC, a printer, or even a server.At its core, Peakflow X 3.0 combines a security appliance and specially designed software to gather information from up to five switches or routers and examine network performance, according to the company.

Richard Stiennon, vice president of research at Gartner Inc., believes that the level of network visibility offered by Peakflow will be a major benefit to IT managers. “The most valuable thing here is that it finally gives you knowledge of what your network is being used for,” he says.

But the product is not just about identifying problems. It also employs a feature called "Safe Quarantine," which blocks all abnormal traffic and allows normal traffic to continue through the network.

There are, however, other offerings on the market to defend against unforeseen security threats. One of the best known is probably Cisco Systems Inc.'s (Nasdaq: CSCO) Security Agent (CSA) software, which works by analyzing the behavior of servers and desktops.

However, CSA takes a more host-centric approach to tackling the zero-day problem. “Cisco’s solution focuses on the hosts themselves," says Stiennon. "You have to load a software agent on the host and then manage it.”In contrast, Stiennon claims, Peakflow uses a much more network-focused approach. “With Arbor, you don’t have anything on the host. You just have sensors on the network and the control is done through the switches."

Less well known than Cisco, but also offering products to analyze performance are Massachusetts-based startups are Mazu Networks and Q1 Labs. Mazu Networks recently launched the latest version of its network-based Mazu Profiler solution (see Mazu Launches Profiler 4.0).

At least one big-name customer has already signed up for Arbor’s Peakflow X 3.0. BT Group plc (NYSE: BTY; London: BTA) is integrating Arbor Networks’ worm prevention products to protect its internal network.

— James Rogers, Site Editor, Next-gen Data Center Forum