FOUNDRY OUNDRYNETWORKETWORK SOLUTIONS …€¦ · first Network Behavior Analysis (NBA) and Response solution that combines existing Foundry Networks sFlow ® routers and switches

Network security is a crucial part of any organization’s overallnetwork management strategy.Most businesses maintain robustperimeter defenses such as firewalls,antivirus and intrusiondetection/intrusion prevention systems (IDS/IPS).For the mostpart, these tools are very successful at preventing attacks andmisuse from outside the enterprise.

Internal networks,however,are another story.Business networksnow encompass growing numbers of contractors,mobile users,extranet partners and tightly integrated remote offices.Everyone of these points of access represents a free pass around networkperimeter defenses. If any one of these trusted relationshipsbecomes compromised, it threatens the integrity of all interiornetwork segments.Therefore,network security now must protectagainst internal threats every bit as aggressively as it preventsexternal attack.

Foundry Networks and Lancope recognize that many enterpriseorganizations understand the need to improve internal security.These two companies have joined forces to deliver the industry’sfirst Network Behavior Analysis (NBA) and Response solutionthat combines existing Foundry Networks sFlow® routers andswitches with Lancope’s StealthWatch™ System to eliminate upto 80% of the time,cost and complexity associated with threatdetection and response across internal networks.By integrating

sFlow-based network behavior information directly intoLancope’s StealthWatch Xe for sFlow security appliance, thetwo companies can deliver a superior security solution thatprotects against all threats with very few false positives and avery reasonable total cost of ownership.

Internal Threats are SignificantIt should not be a surprise that internal threats are a growingconcern for businesses.Consider the following statistics:

• 2004 survey of 23 insider misuse incidents discovered that 25% of the insiders involved had criminal records

• 2005 survey conducted by Deloitte Touche Tohmatsu indicatedthat approximately 33% more respondents reported that attacks had originated from inside their network perimeter than did respondents citing external attacks

• Yankee Group and Computer Security Institute report determined that over 50% of attacks came from internal networks or unidentified sources

• 2005 FBI and Computer Security Institute survey found that 56% of organizations reported internal security breaches

• IDC study estimated that 60% of all serious security threats come from internal sources with privileged access to network resources

Clearly,internal threats are at least as important as external attacks.Enterprise organizations must have the means to manage theserisks in order to minimize data theft, limit legal and financialliability and document compliance with government andindustry regulations such as HIPAA,Sarbanes-Oxley andPCI/Visa CISP.

FFOUNDRY OUNDRY NETWORKETWORK SOLUTIONS GUIDESOLUTIONS GUIDEFoundry Networks: Superior Internal Network Security viaStealthWatch™ by Lancope and sFlow® routers and switches

1

Network Perimeter Tools Don’t WorkPerimeter defenses do not recognize internal threats—andbusinesses cannot guard against what their defenses cannot see.For example,devices such as firewalls and IDS/IPS cannotanalyze encrypted traffic across a virtual private network (VPN)or trusted link.Other common internal vulnerabilities include:

• Rogue wireless devices

• So-called zero-day attacks, for which attack signatures have not been defined

• Unauthorized remote control or peer-to-peer software

• Unauthorized network devices and software applications

• Trojans or worms introduced via laptops,email or flash-based storage devices (e.g.,USB drives and portable music/video players)

• Known attacks for which signatures have not been activated

Each of these threats can easily become an active attack.Forexample,an employee’s laptop might become compromisedwith a virus when connected to a home network.That virusbecomes immediately active inside the network perimeter assoon as that employee arrives at the office the next day and logs on to a server.

Ironically,network security’s success at the perimeter tends towork against organizations that try to use these tools to improvetheir internal security.First,each internal network or networksegment requires its own firewall or IDS/IPS.Every one ofthese devices is a chokepoint that limits performance.Next,separate policies must be developed,distributed and managedfor every device.It is an expensive proposition,and very,verydifficult to coordinate, let alone operate efficiently.

Consider the following example.A typical IDS/IPS appliancecan protect against more than 15,000 known threats.However,that same appliance is unlikely to look for more than 2% of thattotal. It simply takes too long to monitor network traffic moreclosely.Therefore,most IDS/IPS devices are intentionally confi-gured to be blind to 98% of known potential threats.

IDS/IPS appliances must be installed on every network seg-ment to limit the spread of internal attacks.Given the numberof devices necessary to cover the typical enterprise, it rapidlybecomes very complicated and expensive to manage thesedevices.Worse yet,protection remains spotty at best, sincenetwork performance must be balanced against networksecurity.There remains no protection whatsoever within eachnetwork segment—only protection against threats that try toleap from one segment to another.

The result is predictable.Businesses spend tremendous amountsof time and money on internal protection,but fail to cover thefollowing critical areas:

• Stop all attacks,even new attacks unknown to security experts

• Operate without dropping network packets or blocking normal operations

• Provide protection without generating large numbers of false positives that must be individually investigated

• Deliver comprehensive protection across all internal networks, inclusive

• Block unauthorized wireless networks, software applications and network devices in real-time

• Generate real-time insight into security performance across all internal hosts and networks

• Integrate easily with network management applications

The Answer: Align Internal Security More Closelywith the Network ItselfInternal security works best when tools are applied that canmonitor all internal network devices and operations, regardlessof location.In particular,a truly effective internal securitysolution must work at the very high line speeds and highlyswitched/highly segmented topologies common acrossinternal enterprise networks.

Foundry Networks and Lancope recognize that many enterpriseorganizations are concerned with the complexity and cost ofinternal security products or services.By integrating networkbehavior information from existing sFlow routers and switchesdirectly into Lancope’s StealthWatch Xe for sFlow securityappliance, the two companies have aligned security with theinternal networks themselves.

Lancope’s StealthWatch System is specifically designed leveragesFlow data and native capture information to provide that extralayer of internal network protection that enterprise organizationscurrently lack.More importantly,StealthWatch augments basicbehavioral analysis with sophisticated tools that prioritize theseverity of a threat,correlate the severity with the actual risk tointernal resources,and then provide either automated or manualoptions for mitigating the threat and restoring normal operations.

2

These cost-effective security appliances:

• Protect immediately against new threats without reconfiguration—there is no need for attack signatures or protocol anomaly decodes.

• Work equally effectively at the network perimeter and across highly switched internal networks.

• Instantly recognize security policy violations such as new or reconfigured hardware devices and software applications.

• Secure hosts and networks without requiring a host level agent,and do not consume host system resources.

Raw security information,whether gathered via native flowcapture or as part of the normal sFlow routing process,deliversrapid insight into network security operations.Beside theapplication of a very limited number of StealthWatch appliances,little new infrastructure is needed to track unexpected networkbehavior.There are no attack signatures or protocol decodesthat must be switched on or kept up to date.There is no timedelay between the emergence of a threat and the availability ofa signature.The network is fully protected,even against threatsthat have not been identified or for which no structured responseyet exists.

This network behavior analysis approach to security is especiallyvaluable for protection against network availability (zero-day)threats.Compromised systems generate flow data that carriesvery distinct behavioral characteristics.Monitoring for thesepatterns identifies active threats as soon as they become evidenton the network.There is no need for IDS/IPS signatures to beavailable or active,resulting in far fewer false positives,and noneed for redirecting traffic through security chokepoints thatimpact performance.

StealthWatch is ready to work immediately upon installation,and requires minimal customization.Its flexible,zone-basedapproach adapts easily to changing network needs and auto-matically quarantines problems before they spread.In addition,StealthWatch’s easy-to-use Concern Index quickly guidesadministrators to the most urgent security events.

The Security Benefits of sFlowsFlow is an internationally recognized standard (RFC 3176) foracquiring network and operational data from across TCP/IP-basednetworks.In the case of Foundry Networks,sFlow information iscaptured using a dedicated,high-speed ASIC within each routeror switch.This unique design means that the data stream can becaptured at line speeds—even across gigabit networks (or faster).

sFlow was designed specifically to help administrators:

• Improve network usage and application performance

• Reduce IP service and application costs

• Detect and classify security incidents

sFlow relies on statistical sampling of packet headers and payloadsin order to determine the current network state.Administratorscan easily balance detail versus performance by changing thesampling rate. sFlow also provides for time-based sampling fornetwork interface statistics.This capability represents anotherresource for network performance data.

STEALTHWATCH NETWORK BEHAVIOR ANALYSIS (NBA) AND RESPONSE

THREAT DETECTION DETECT ZERO-DAY ATTACKS, WORMS, VIRUSES AND

OTHER MALWARE

POLICY COMPLIANCE DISCOVER UNAUTHORIZED APPLICATIONS AND PREVENT

NETWORK MISUSE BY INTERNAL USERS

PRIORITIZATION FOCUS ON THE EVENTS THAT MATTER MOST

END-POINT INTELLIGENCE MAINTAIN HOST INTEGRITY AND IDENTIFY ROGUE DEVICES

AND APPLICATIONS

NETWORK INTEGRITY MAINTAIN NETWORK HEALTH THROUGH NETWORK-WIDE

VISIBILITY AND FLOW ANALYSIS

AUTOMATED MITIGATION QUARANTINE COMPROMISED HOSTS TO LIMIT FURTHER EXPOSURE

LOGGING AND ANALYSIS INVESTIGATE AND DIAGNOSE INTERNAL SECURITY THREATS

TRAFFIC ACCOUNTING MONITOR NETWORK PERFORMANCE AND USAGE

3

sFlow gives administrators the ability to embed security deeplywithin normal network operations.These systems scale easily.Since the data source is the router itself,data collection capabi-lities grow automatically with each new router deployment,and one or two security appliances can monitor a number ofseparate routers.

Compromised networks or hosts generate distinctive trafficpatterns that are easily captured using sFlow.StealthWatch usessFlow’s ability to peer inside packets and payloads in real-timeto help administrators easily locate additional detail that mightindicate a security threat—and thereby be able to respond beforeonline assets can be lost or damaged.As a result,StealthWatchhelps deliver complete coverage for internal,highly switched orhighly segmented networks.If it touches a sFlow-capable router,it can be monitored by the StealthWatch security solution.

StealthWatch’s network behavior analysis approach to securityis especially valuable for protection against network availability(zero-day) threats.Compromised systems generate sFlow datathat carries very distinct behavioral characteristics.Monitoringfor these patterns identifies active threats as soon as they becomeevident on the network.There is no need for IDS/IPS signa-tures to be available or active,no need for deep packet analysisand no need for redirecting traffic through security chokepointswhich impact performance.

StealthWatch Xe for sFlow is extremely cost-effective.As men-tioned above, there is no need for separate hardware or softwareto capture security data or detect unexpected network behaviorbeyond the monitoring appliance itself.By removing a levelcomplexity from the security infrastructure,administratorssignificantly lower the need for duplicated services and reducethe demands on staff.

StealthWatch Xe for sFlow – How to SecureInternal NetworksThe challenge for any sFlow-based security solution is to separatesFlow security data from other network performance issues,then to find and correlate disparate sFlow records and reassemblethat information to reflect specific communications sessions.

StealthWatch Xe for sFlow uses Lancope’s proven,award-winningbehavioral analysis and response technology to quickly andautomatically sift large amounts sFlow data to baseline expectednetwork behavior and provide a real-time overview of the currentsecurity situation across the breadth of the enterprise.StealthWatchthen quickly identifies deviations that indicate security threats,prioritizes the severity of attacks and provides guidance for theappropriate level of response.

Each StealthWatch Xe appliance supports multiple sFlow routersand/or switches with extremely rapid traffic analysis—up to 10 times the bandwidth of native packet capture technologies.Appliances are easily managed through a centralized StealthWatchmanagement console,and cooperate fully with other parts ofthe StealthWatch family.

StealthWatch quickly and automatically separates securityinformation from unrelated data such as hardware and softwarefailures or unexpected but benign surges in traffic. In addition,StealthWatch can account for both scheduled and unexpectedchanges to networks so that security and network operationsstaff are better informed of each others’activities.

sFlow routers and switches generate huge volumes of data,which is why ad hoc or home-brewed sFlow security solutionsrarely scale easily or capture the full breadth and depth ofpotential attacks.With StealthWatch,the application of sFlow

FOUNDRY SFLOWENABLED L2 & L3 SWITCHES

FOUNDRY SFLOWENABLED L2 & L3 SWITCHES

NETWORK MONITORING AND REPORTING CONSOLES

SFLOWCOLLECTION & ANALYSIS

FOUNDRY INMSFLOW COLLECTOR

ARPWATCHANALYZER

SNORT IDSANALYZER

3RD PARTYSFLOW COLLECTOR

SAMPLED SFLOWDATA COLLECTION

FOUNDRY EMBEDDED SFLOW AND LANCOPE INTERFACE

• ASIC-based sFlow (RFC 3176) support for fast, low overhead monitoring

• Reduces cost and complexity of provisioning probes throughout the switched network

• Eliminates the need for SPAN and mirror ports

• Protocol Independent (IPv4, IPv6, MPLS, IPX, AppleTalk) to ensure all traffic is seen

• Integrated with Lancope StealthWatch Xe anomoly detection system for highly- scalable Zero-Day solution

4

to network security moves from an online hunt for a proverbialneedle in a haystack into a structured,near-real-time and pro-active approach to stopping any attack before internal resourcesare put at risk.Lancope’s deep experience in automaticallycollecting,parsing and analyzing security data for unexpectedbehavior delivers a solution that performs rapidly under heavydata loads without impeding normal network operations orinterfering with other sFlow data usages.

Since StealthWatch protects networks without attack signatures,administrators receive superior protection without risking falsepositives or missed attacks.Built-in business rules and intelligentalerting streamlines reponse, including the delivery of key

what-if information to help staff quickly determine the bestcourse of action for any given security incident.StealthWatch’sability to link threats to originating devices and probable targetsalso helps defend individual hosts and devices against attack or misuse.

A pair of StealthWatch Xe NBA appliances can replace five,ten or more firewall/IDS/IPS devices,while delivering bettervisibility into what is happening on the network in real-time.As a result,StealthWatch represents a very cost-effectivealternative to traditional security infrastructure that requireshigh degrees of tuning and still misses many common threats.

COLLECT AND ANALYZE FLOWS

FLOWS

1ESTABLISH BASELINE OF BEHAVIORS

2

ALARM ON ANOMALY BEHAVIORS

3

BEHAVIOR

NUMBER OF CONCURRENT FLOWS

PACKETS PER SEC

BITS PER SECOND

NEW FLOWS CREATED

NUMBER OF SYNS SENT

TIME OF DAY

NUMBER OF SYNS RECEIVED

RATE OF CONNECTION RESETS

DURATION OF THE FLOW

MANY OTHERS…

STEALTHWATCH BEHAVIOR ANALYSIS AND ANOMOLY DETECTION

Critical Servers Exchange Servers Webservers Marketing

Anomaly Detected inHost Behavior

threshold

threshold

threshold

threshold

DATACENTER

MARKETINGSALES

XE-500 XE-1000

SMCSTEALTHWATCHMANAGEMENT

CONSOLE

sFlow sFlow

REGIONALOFFICE

REGIONALOFFICE

DR SITE

G-1

mirror

M-250

tap

STEALTHWATCH DEPLOYMENT

5

The ProductsStealthWatch Xe for sFlow—aggregates high-speed (up to10GB) network behavior data from multiple sFlow networks ornetwork segments to extend StealthWatch protection acrossgeographically dispersed enterprise networks.StealthWatch Xedelivers extremely rapid traffic analysis—up to 10 times morebandwidth than with native packet capture technologies,and isan ideal solution for remote networks or high-speed internalnetwork segments.

StealthWatch NC—provides fast,accurate native flow capturethat rapidly identifies unexpected or unauthorized networkbehavior.Powered by its patent-pending,flow-based architecture,StealthWatch provides a cost-effective,easy-to-manage,singlepoint of reference for optimizing security and network operations.StealthWatch NC is captures a greater range of security infor-mation than StealthWatch Xe,but operates at slightly slowerline speeds.

StealthWatch Management Console—manages,coordinatesand configures StealthWatch appliances to correlate securityand network intelligence and deliver real-time insight intocurrent network behavior.Featuring Java-based platformindependence, the StealthWatch Management Console enablesinstant data correlation, traffic visualization and consolidatedreporting.Administrators detect and prioritize security threats,pinpoint network misuse and suboptimal performance,andmanage incident response across the enterprise—all from asingle control center.

The Value PropositionLancope’s StealthWatch security family helps Foundry Networkscustomers reconcile three often conflicting network securityneeds:

• Faster,more accurate,more effective internal network security

• Reduced complexity and simplified day-to-day management

• Lower purchase cost and more affordable long-term total cost of ownership

The advantages of this system are clear.StealthWatch:

• Is easy to install,manage and update

• Protects without dropping packets or blocking services

• Covers all internal network infrastructure—even high-speed,highly switched or highly segmented networks

• Responds in real-time to threats that evade firewall,antivirus or IDS/IPS

• Instantly recognizes unauthorized network traffic or devices—and the reasons behind the unexpected events

• Provides a true,enterprise-wide overview of overall security performance in real-time

• Leverages existing Foundry Networks sFlow infrastructure to maximize the utility of each security budget dollar

Proven,scalable,cost-efficient network securitytechnology.

Lancope is the leading provider of network behavior analysis(NBA) and response solutions,with a proven record of successin over 200 enterprise customers—more than all direct com-petitors combined.Both OPSEC and Common Criteria-certified,StealthWatch was named an InfoWorld 2005 Technology of theYear,and a 2006 Secure Computing Awards winner.

Leverages existing Foundry Networks sFlowequipment.

sFlow-based routers and switches can transparently capturedetailed data that can be applied directly to network security.However,relatively few enterprise organizations take advantageof the hardware and software already in place in order to improvetheir security operations.StealthWatch uses sFlow data togenerate detailed session and transaction information withoutrequiring additional native capture devices.StealthWatch thenapplies powerful correlation and analysis to organize thisinformation for alerting and response.

Easy to install,manage and update.

StealthWatch is a self-tuning security solution that is readywithin hours of installation—plus automatically learns what itneeds to improve protection over time.Unlike antivirus andIDS/IPS,StealthWatch does not require attack signatures, so itis never out of date,and protects against threats for which attacksignatures do not yet exist.A small number of StealthWatchappliances can provide comprehensive coverage for largenumbers of hosts across massive internal enterprise networkenvironments.

Works without dropping packets or blocking services.

StealthWatch works by baselining normal network behavior.Any variance from expected patterns of use triggers an alert.StealthWatch then automatically prioritizes the severity of thethreat,balances relative risk against the value of the affectednetwork assets,notifies appropriate staff,and optionally takesdirect action to isolate and minimize the attack.StealthWatch’spassive operation means that this exceptional level of protectionworks without dropping packets or blocking services.There arevery few false positives,and little or no effect on networkperformance or trust relationships.

6

End-to-end coverage of the internal networkinfrastructure.

StealthWatch detects and mitigates all threats,including internalmisuse,device and application misconfiguration,and securitypolicy violations –even at very high line speeds on highlyswitched or highly segmented internal networks.StealthWatchdoes not use software agents, so it can protect both networksand hosts.Each StealthWatch Xe for sFlow appliance canaccept data from multiple sFlow routers and switches,whichmakes StealthWatch an extremely scalable and cost-efficient to operate.

Responds in real-time to threats that evade perimeter defenses.

StealthWatch instantly detects threats that originate inside the network perimeter,attacks waged from within encryptednetwork traffic,and the presence of unauthorized internalnetwork connections and applications.As such, it represents amuch more efficient use of security budget than internaldeployments of firewalls and IDS/IPS.

Instantly recognizes unexpected network traffic—and thereasons behind that traffic.StealthWatch operates transparentlyto detect access policy violations across departments andsecurity zones.This ability to deliver enterprise-wide securityinsight in real-time connects policy violations with specificdevices,anywhere inside the network perimeter—then instantlytransmits this information to appropriate staff.

Provides a true, enterprise-wide overview of securityperformance in real-time.

StealthWatch monitors all connected devices within anenterprise organization’s internal networks.Each appliancedelivers end-point intelligence on up to 512,000 individualnetwork devices. In addition,StealthWatch enables “virtualsecurity zones”that simplify protection for complex coveragerequirements.Administrators gain the ability to efficientlymanage complex multiple security structures without requiringsignificant amounts of additional hardware and software.

About Foundry NetworksFoundry Networks®,Inc.(Nasdaq:FDRY) is a leading providerof high-performance enterprise and service provider switching,routing and Web traffic management solutions including Layer2/3 LAN switches,Layer 3 backbone switches,Layer 4 - 7application switches,wireless LAN and access points,accessrouters and metro routers.Foundry’s 9,300 customers include theworld’s premier ISPs,metro service providers,and enterprisesincluding e-commerce sites,universities,entertainment,healthand wellness,government,financial,and manufacturingcompanies.For more information about the company and itsproducts,call 1.888.TURBOLAN or visitwww.foundrynetworks.com.

About LancopeLancope is the leading provider of network behavior analysis(NBA) and response solutions that defeat zero-day worms,internal network misuse and other anomalies that compromisenetwork integrity.Lancope’s StealthWatch System integratessecurity and network management technology to reducenetwork risks and maximize network availability by rapidlyidentifying,prioritizing and mitigating critical threats,whethernew or well-known.Both OPSEC and Common Criteria-certified,StealthWatch was named an InfoWorld 2005Technology of the Year.Defending the networks of Global 2000organizations,academic institutions and government entities,StealthWatch protects over 200 enterprise customers,more thanall direct competitors combined.Lancope’s Technology AlliancePartners include Foundry Networks,ArcSight,IBM Tivoli,LURHQ and CheckPoint.Lancope is a privately held,venture-backed company headquartered in Atlanta,Georgia.For moreinformation,call 888-419-1462 or visit www.lancope.com.

7

© 2006 Foundry Networks, Inc.All Rights Reserved.Foundry Networks,BigIron,NetIron, IronShield, IronView,IronWare, JetCore, JetScope,MetroLink,Terathon,TrafficWorks,Power of Performance and the ‘Iron’ family of marks are trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. sFlow is a registeredtrademark of InMon Corporation. All others are trademarks of their respective owners.

© 2006 Lancope, Inc. Lancope is a registered trademark and StealthWatch™ is a trademark of Lancope, Inc.All other registered or unregistered trademarks are the sole property of theirrespective owners.

Lancope3650 Brookside PkwyBrookside Concourse 100,Suite 400Alpharetta,Georgia 30022

Tel:+1 770.225.6500Fax:+1 770.225.6501

www.lancope.com

FDRY_CI-747_SOLGUIDE_2006_04_Rev01 8

Foundry Networks, Inc.Corporate Headquarters4980 Great America ParkwaySanta Clara,CA 95054

U.S.and Canada Toll-free:1-888-TURBOLAN (887-2652)Tel:+1 408.207.1700 Fax:+1 408.207.1709

[email protected] www.foundrynetworks.com

Although Foundry has attempted to provide accurate information in these materials,Foundry assumes no legal responsibility for the accuracy or completeness of the information.More specific information is availableon request from Foundry.Please note that Foundry’s product information does not constitute or contain any guarantee,warranty or legal binding representation,unless expressly identified as such in duly signed writing.