The challenges of current network security?
What's NBAD for?
How Genie provides a quality NBAD solution?
A Total Solution for Threat Detection, Mitigation and Reporting

• The challenges of current network security?
  The rapid development of Internet applications has brought new challenges to the network security. One of the oldest, but still most effective, methods to exploit IP infrastructure weakness is the Distributed Denial of Service (DDoS) attack. DDoS attacks have been launched against Internet sites/hosts for years. DDoS attacks usually involve breaking into thousands of systems all over the Internet, and overwhelm the target systems with data, such that the responses from the target systems are either slowed or stopped altogether. In order to create the necessary amount of traffic, a network of zombie or robot computers is often used. Zombies or botnets are computers that have been compromised by attackers, usually through the use of worms and Trojans, allowing the compromised systems to be installed and remotely controlled. Collectively, these systems are able to create the high traffic volume to create a DDoS attacks.
  They are a significant problem not only because they exhaust bandwidth, network device processing capacity, breaking network connectivity to the victims, and shut an organization off from the Internet, but also because the ‘conventional security products’, such as Firewalls, IDS/IPS (Intrusion Detection System/Intrusion Prevention System), provide no comprehensive solution— no one silver bullet exists. Each of the ‘conventional security products” has some limitations:
  Access Control Lists (ACL): Access Control Lists in the routers or switches can be used to block traffic flow with specific characteristics (e.g. addresses, protocols, etc.) but only if the characteristics can be known in advance. Therefore, even though ACLs can be used to filter offending traffic once they are recognized, the routers/switches lack the processing power and profiling intelligence to make such recognition on their own. On the other hand, the administrative time spent on determining ACL rules is cost overhead associated with the attacks. Therefore, ACLs can be useful for filtering identified unwanted traffic, but ACLs alone can not serve as a DDoS mitigation solution.
  Firewalls: firewalls provide network security protection by restricting access to authorized users and blocking unwanted protocols. However, it cannot always be known in advance who will be illegally accessing the networks and hence unable to prescreen the attackers via the firewall rules. Even though certain protocols and ports can be blocked by firewall rules, most DDoS attacks can utilize well-known, authorized ports, such as TCP port 80, which cannot be blocked. Therefore, firewalls offer some valuable protection in a complete security solution, but firewalls alone are ineffective in protect DDoS attacks.
  Intrusion Detection System/Intrusion Prevention System (IDS/IPS): an Intrusion Detection System (IDS) monitor network traffic and set an alarm if certain conditions are met. An Intrusion Prevention System (IPS) automatically takes actions to block an attack once it is identified. Some IDSs/IPSs are designed to detect intrusion traffic flows by matching them with known “attack signatures.” However, this type of content-based detection mechanisms fails to identify ‘zero-day attacks.’ Furthermore, lots of DDoS attacks disguise their behavior as legitimate traffic, and do not have a content signature for them to match. In order to solve such content-based detection disadvantage, now some IDSs/IPSs are implemented to look for traffic rate changes, protocol violations. Nevertheless, such behavior-based DDoS against IDSs/IPSs still cannot effectively detect DDoS attacks. This is due to the link-based, inline, or say gateway-alike system architecture of them. The link-based nature incurs several disadvantages with it:
  1. care traffic information source: a link-based IDS/IPS can only monitor the traffic going by/through the link which it is deployed. Therefore, if not deploying the IDS/IPS on every link in the network (which is an impractical approach), the IDS/IPS cannot gain the traffic flowing through those links where they are not sitting on. This disadvantage is usually illustrated as the problem of inability to detect “internal threats.”
  2. Discrete traffic information: even if we put aside the expensive deployment cost issue and deploy many IDSs/IPSs on a network in order to resolve the little traffic information source problem, there still exist the weakness of discrete traffic information. Without a collective, aggregative and centralized intelligence for anomalous traffic detection, DDoS attacks cannot be identified effectively and efficiently.
  3. Lack of some valuable traffic information: the traffic information for IDSs/IPSs usually comes from the direct traffic monitored, but no other useful information such as network device performance, routing patch, etc. Without these valuable information sources, some malicious attacks cannot be detected and important attack information (e.g. the attacking paths, the impacted resources, etc.) cannot be identified effectively.
  4. Cost of deployment and management: in order to protect a network from points to perimeter, from perimeter to network-wide, a number of IDSs/IPSs must be deployed in different places in the network. This not only increase the monetary costs of solution deployment, but also the difficulty of system management.

 

• What's NBAD system for? (The benefits of an NBAD system?)
  Network Behavior Anomaly Detection (NBAD) systems usually support network behavior visibility primarily for security-relevant activity and incidents. These systems monitor network traffic for deviations that usually indicate DDoS outbreaks, zero-day attacks, and other forms of network misuse. They fill the gap left by policy- and signature-based point solutions, such as ACLs, firewalls, and IDS/IPS, which may miss threats for which they are not specifically configured to detect or they are not positioned at the attacking path. Therefore, NBAD is usually considered the last line of security defense.
  An NBAD system presents several advantages which complements the weaknesses of other security products:
  

1. Built-in traffic analysis detection intelligence – the one area where NBAD has clear advantage over other content-based products is its built-in anomaly detection mechanisms. They are designed to catch an infection early and limit the impact and address “zero-day” vulnerabilities
2. Collect ubiquitous traffic information – aggregates traffic information from different network nodes and various data sources. This enables the network-wide protection, which addresses the “internal threat” problem;
3. Leverage information exported from existing network devices – uses Flow data exported from routers or switches already deployed in the network everywhere. Therefore, the network-wide protection can be accomplished without extra deployment of ‘sensors’ or ‘probes’, and hence avoid the high deployment and management cost issue;
4. Incident visibility and forensics – provides granular visibility into the network traffic behaviors. NBAD technologies are not only effective security systems against network threats, but are also decision support systems that give visibility to a knowledgeable network managers who can interpret, investigate and respond to a variety of suspicious activities on the network.

• How Genie provides a quality NBAD solution?
  GenieATM is an innovative Network Behavior Anomaly Detection system, which leverages a combination of the flow data, SNMP queries, and BGP routing messages to create a behavior-based system that profiles the ‘traffic patterns.’ The normal traffic models are built and maintained for the network infrastructures and subscriber networks, respectively. After the normal network behavior is “learned,” the variation detected will be considered anomalous, and hence tracked and acted on.
  The GenieATM built-in Anomaly Traffic Detection engine can quickly detect network attacks originate from internal and external networks, promptly locate suspicious attackers and victims, and suggest proper actions on those located attacking sources for preventing the harm formed or extended further. In addition to the anomaly detection and mitigation, GenieATM also offers unique traffic investigation tool and abundant anomaly traffic reports for network managers.
  The NBAD features of GenieATM include:

• DoS/DDoS Protection: the built-in Protocol-Misuse detection model can detect DoS/DDoS attacks such as TCP SYN flooding, ICMP flooding and UDP Fragments. The detection can also lock down the suspicious attackers and the potential victims and then work with the mitigation measures provided to remove the threats.
• Worm Attack Detection: the built-in Application-Anomaly detection model can successfully detect worms such as SQL Slammer, Code Red and Sasser attacks. The detection can also lock down the infected hosts and the targeted victims and then work with the mitigation measures provided to eliminate the impacts.
• Zero-day Attack Detection: dynamically profiles real-time traffic and build normal traffic baselines for timely detections of any anomalies without known signatures.
• Routing Anomaly Detection: continuous monitors BGP routing activities on the network, and provides timely alerts for abnormal routing behaviors such as BGP Hijack and spurts of route updates.
• Dark IP Detection: detect suspicious traffic coming from or going to Dark IP or Bogon IP space. This is useful for detecting DDoS backscatter and host/port scanning attacks.
• Anomaly Trace-back: rapidly constructs the full view of the attack and points out the attacker’s and victim’s information, such as attackers/zombies/victims’ IP addresses, the attacking path, etc. The real-time ad historical analysis of network traffic and other forensics helps trace back the cause of an attack.
• Anomaly Mitigation: offers a number of anomaly mitigation options for detected threats. The actions supported including ACL command recommendations, 3rd-party security device integration, and BGP FlowSpec support.
• Alarm Notification: a two-level (Yellow & Red) threshold alarm mechanism collocating with the indication of customer importance.
• Diversified Alarm Methods: three supported alarming methods, Email, SNMP Trap, and Syslog, can elastically coordinate user’s demand.
• Traffic Snapshot: captures the real-time Top-N instantly with flexible analysis criteria, aggregation and ranking methods. Provides traffic visibility of contents, source and destination, routes and specific anomalies. Traffic Snapshot is a unique tool provided by GenieATM and a powerful network troubleshooting tool.

 

• Total Solution for Threat Detection, Mitigation and Reporting: How Genie works with other Security solutions (traffic clean)?
  GenieATM is a non-intrusive system for protection against network threats such as DDoS, worms, and Botnets. By non-intrusive, it means GenieATM does not need to wok inline to detect and mitigate these attacks. In order to provide various threat countermeasure options for network managers to eliminate network threats instantly, GenieATM may work with 3rd-party security devices to filter the attacking traffic.
  The mitigation actions provided by GenieATM include:

• Router ACL commands generation
• Black-hole routes generation
• Anomalous traffic redirection and 3rd-party traffic cleansing triggering: support 3rd-party devices such as Cisco Guard.

The superiority of adopting such a flow-based network threat detection & mitigation solution to “in-line” DDoS soltuions include:

• Better Availability and Reliability: The data collection points, the GenieATM Controller/Collectors are placed via IP routing mechanisms, and hence the solution is as resilient and available as an IP network. No single-point-of-failure which can be caused by an in-line solution;
• Better Scalability and TCO: In-line DDoS solutions require redundant pairs of devices individually deployed at each mitigation point which increase the solution cost without real gain in value. Also the management cost is significantly increased for provisioning and maintaining the devices located at different points in the network. Therefore, the flow-based GenieATM solution locates detection resources in the backbone to be shared by many customers, and the configuration offers better TCO over in-line solutions, which require one device per customer.
• Network-wide Detection and Insights: The distributed, flow-based architecture gives GenieATM access to all the data from network-wide, producing better heuristics and allowing earlier attack identification and mitigation. Instead of rendering link-based traffic reports, GenieATM also provides not only network-wide traffic monitoring, the embedded network models help segregate customer-/sub- networks for better traffic insights;