Saturday, July 19, 2003

PacketHound

As a network security monitoring analyst, I'm always looking for better ways to inspect network traffic.


I recently learned of a product by Palisade Systems called PacketHound which "is a network appliance that allows system administrators to block, monitor, log, or throttle LAN access to an expansive list of unproductive or potentially dangerous protocols and applications." I'm happy to see that "PacketHound is an Intel-based PC appliance running FreeBSD and containing one or more 10/100 or Gigabit Ethernet NICs." (FreeBSD is my favorite OS, and is popular in many network inspection appliances.)


The best selling point of PacketHound is its inspection method: "PacketHound passively scans TCP packets for the characteristics that match the protocols it is designed to monitor and block. Conventional approaches to monitoring and blocking rely on blocking TCP ports -- for example, Gnutella typically uses port number 6346 -- so a firewall would block Gnutella by shutting off access to port 6346. Unfortunately, this approach works only with unsophisticated users and applications; more sophisticated users and newer applications can easily switch to other ports and thereby bypass the firewall. PacketHound, on the other hand, uses the fundamental characteristics of the protocol itself in addition to relying on default port blocking and, as a result, is immensely more difficult to bypass." I imagine this sort of inspection could be done with Snort if it were given signatures and told to watch all ports. However, the chances of false alarms could be high.




Another network product, this from Vericept, looks promising. Vericept View for Privacy Protection comes in forms for financial services and health care providers. According to Network Computing, "Vericept's Intelligent Early Warning (VIEW) for Privacy Protection helps financial services organizations comply with the Gramm-Leach-Bliley Act. Using Vericept's linguistic and mathematical analysis of all TCP/IP network traffic, VIEW monitors all communications, including Internet, intranet, e-mail, IM, chat P2P, FTP, telnet and bulletin board postings, for inadvertent or malicious leaks of nonpublic personal information, such as credit card or social security numbers, account balances and payment or credit history. VIEW is designed to run on Vericept security appliances installed on a 10Base-T/100Base-T or Gigabit network." If indeed some intelligent algorithms are in play here, and not simple string or regular expression matching, this could be helpful to detect all sorts of abuse.