Monday, June 23, 2003

Flow Tools

Thomas H. Ptacek, who co-authored a slightly famous paper on IDS several years ago, wrote me regarding his company's product, Peakflow X. According to their press release, the system profiles network traffic and complements traditional signature-based IDS:


"Upon installation, Peakflow X monitors network traffic, automatically constructing a holistic real-time model of the entire network from the inside out. Identifying factors such as services (HTTP, FTP, Microsoft File Sharing, etc.), inbound and outbound traffic, and host-to-host behavior, Peakflow X dynamically clusters all hosts into groups based on similar operational policies. For example, hosts that communicate primarily HTTP only to hosts in the marketing department would be grouped together, indicating an organization’s internal workgroup Web servers. Based on this detailed network-wide model, Peakflow X immediately detects anomalous behavior whether or not it stems from a known vulnerability. For example, should one of the internal Web servers initiate a file sharing connection to a system on the Internet, Peakflow X would immediately flag the activity as suspicious. As a result, Peakflow X can detect not only zero-day threats, like worms, but also internal misuse."


This seems like one of the best ways to deal with inspecting huge traffic flows. Readers may know I am a huge fan of products which independently capture network flows without processing stored libpcap data. Argus is the best stand-alone app, while Cisco NetFlow is an option. Luca Deri of ntop fame shared news of his nProbe, a PC-based NetFlow collector, and nBox, a Cyclades-TS100 appliance-based NetFlow collector. Commercial ntop support is available.

No comments: