Key Capabilities

Service Providers spend significant time and resources putting out fires and are limited in identifying sources of these problems. Network slowdowns, dropped connections, usage swings, outages, security breaches, and other issues take away their precious time. Many service providers react to problems instead of efficiently managing their networks. A common reaction to most service provider network slowdowns and outages is to purchase additional bandwidth. Unfortunately, the costly additional bandwidth is consumed almost immediately. New Internet applications are helping grow the Service Provider market and creating new streams of revenue. But, as more applications and users traverse the networks, service levels tend to decline. There is also the dark side of network consumption which includes BotNets, targeted attacks, and worms. These waste precious bandwidth and take a substantial percentage away. With competition among service providers switching to who can provide the greatest level of value, SLA is the key differentiator.

Given these threats, Service Providers need to have a visibility into their own network. They need to know what services are running on their network, which customer is getting the most traffic, which user is exceeding bandwidth, is there a worm outbreak, is there a non-mission-critical large file download causing outage to mission critical services, etc. They need to identify the network slowdown causes. For network planning purpose, they need to gain visibility into inventory, dependency, and usage of the network. They must be able to leverage visibility into the network to improve consolidation, segmentation, and disaster recovery planning projects. This will help them budget cost allocation for network resources.

This approach not only improves the performance of the physical network, but can give service providers the flexibility and customer insight they need, to introduce new services or tiered packages and create new revenue opportunities. Visibility into the network helps administrators with a clear understanding of the nature of all traffic flows crossing the network, through inspecting the packets on the network.

IntruGuard’s IG2000 helps monitor and control network activity, helping the administrators optimize the network for long-term service improvements and mitigates short-term problems before they impact service levels. It collects usage statistics on a continuous basis, offering real-time visibility into all aspects of the network. This helps IT administrators understand the past and the present, as well as make intelligent forecasts on future behaviors to pre-empt potential network issues. The devices can report on abnormal phenomena as they happen and automatically mitigate them maintain service levels.

IG2000 provides visibility of the network traffic at the highest level of granularity in the industry. Packet rates in two directions to different network segments for following network parameters are available for visualization and control of bandwidth or access:
With this kind of granularity, shown over historic and current data, the administrator and operations person can easily spot deviations. The system maintains a dynamic baseline based on past average, trends and seasonality for each of the above and can easily take actions to prevent overages.

Real-time and Historic traffic patterns

Granular graphs and reports for traffic for past 1 hour, 8 hours, 1 day, 1 week, 1 month, or 1 year are available to the administrator. These graph give unprecedented visibility into the network and can be used for understanding the norm and thus understanding the abnormal when that happens.

Back

Threat Mitigation

Targeted attacks

Unlike scan-based attacks that target any system that is believed to run a vulnerable service, targeted attacks use lists of known (potentially) vulnerable servers. When a specific network or server is targeted for attack from the Internet or inside, there is a significant overload on that server. IntruGuard’s IG2000 can isolate traffic flows very granularly and associated them with specific destination. IG2000 monitors up to 1 million destination for inbound or outbound targeted attacks.

Similarly, specific ports or services on each subnet are monitored for overloads and such attacks are mitigated by taking a very specific action.

Worm outbreaks

Worm outbreaks are associated with a rapid increase in network scans, port scans, and/or dark address scans. Infected machines in the Service Provider network or the Internet try to reach out to other machines or their ports to find vulnerabilities and exploit them.
IntruGuard’s IG2000 can immediately detect such outbreaks and identify the infected source, isolate and report them.

Distributed Denial of Service and BotNet attacks

In Distributed Denial of Service (DDoS) attacks, hackers write a program that will covertly send itself to thousands of other computers. These computers are known as 'agents' or 'zombies', because they will act on behalf of the hackers to launch an attack against target systems. A network of such computers is called a BotNet. To circumvent detection, attackers are increasingly mimicking the behavior of a large number of clients. The resulting attacks are hard to defend against, using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. At a predetermined time, the worm will cause all of these zombies to attempt repeated connections to a target site. If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers. E-commerce sites, domain name servers, web servers, and E-mail servers are all vulnerable to these types of attacks. IT managers must take steps to protect their systems - and their businesses- from irreparable damage. Mitigating such attacks require algorithmic sophistication, heuristics, high performance and rapid response that’s present in the IG2000.
The granular visibility that IG2000 maintains helps it find the self-similarity in the attack packets. The key value of IG2000 is in its ability to determine the attacks within 2 seconds. Every time an attack is detected, the prevention is done only for up to 15 seconds. The attack is then revalidated. Due to its custom ASICs, IG2000 is able to take such fast actions and avoid false-positives.

Inbound and outbound attacks

While inbound attacks are most commonly discussed in the industry, it is also important to focus on and prepare for outbound attacks.
Malicious outbound traffic is created when server in data center are corrupted with malware. This is usually done without the knowledge of the owner of the machine. Outbound DDoS can be a serious threat to revenue for service provider or datacenter staff because the bandwidth available internally is much higher than what’s possible from external links. Outbound attacks can be much more powerful than inbound attacks.
IG2000 provides bidirectional visibility and control and thus can easily prevent unwitting participation in outbound DDoS attacks. All traffic patterns are learnt and displayed in independent bidirectional manner and the administrator can control them independently.

Back

Source tracking

Distributed DoS attacks and BotNet attacks are a prevalent form of attacks. But a few studies on attacks have found a relatively small number of attack sources account for a large percent of total attack volume. When a limited number of attackers are involved, a dynamic scheme is required which can track the sources to the attacks. IntruGuard IG2000 has a patent-pending mechanism to attribute anomalous higher traffic volumes to a limited number of sources. Such tracked sources can be blocked for a longer duration.
IG2000 monitors up to 1 million sources at any given time and maintains a dynamic baseline of inbound and outbound independent traffic thresholds for up to 8 network segments. If a single source exceeds this baseline directly or by sending anomalous packets it is caught immediately, isolated and reported.
Source tracking is useful when there are non-spoofed attacks from limited number of sources.

Back

Bandwidth Management

Granular bandwidth visibility and control

IntruGuard IG2000 allows granular visibility of bandwidth being used by customer groups, protocols, services, network packets of different types. Administrator can set bandwidth thresholds on the following types of packets:
Layer 2: ARP, RARP, Broadcast, Multicast, VLAN tagged frames, Double Encapsulated VLAN tagged frames, Non-IP
Layer 3: TOS (256 values), IP Options (32 values), Protocols (256 values), Fragment, Source (up to 1 million) , Destination (up to 1 million),
Layer 4: TCP Ports (64K), UDP Ports(64K), ICMP Types/Codes (64K), TCP Options (32 values), SYN packets, connection establishment rate (up to 1 million connections).
With this type of granular bandwidth control available to the administrator, no single customer, network, protocol, port etc. can overload the packet.

Back

Segregation by customers or networks

IntruGuard IG2000 has a built-in mechanism to segregate the network by one of the following parameters:

VLAN tag
Network address/mask
MAC address

With this type of segregation available for up to 8 groups, the administrator can set distinct and independent policies for each of the groups. This ensures that any overages on one group does not impact the other and the groups remain totally segregated.
For example, if you segregate customers by their types, such as business customers, data center customers, residential customers and wireless broadband customers, then each of these groups is restricted to their respective bandwidth.

Back

Clean Network Pipe

Protocol header-anomaly, and state-anomaly removal

Many protocol header anomalies can be prevented when a network appliance can enforce standards. Such anomalous packets waste precious bandwidth. These anomalies are mostly deliberate crafting to overload networks. By dropping such packets, you can reclaim a significant portion of wasted bandwidth.

Header anomalies include IP header checksum, Land attack, Loopback, address spoofing, Non-IPV4/V6, TCP, UDP, ICMP header checksum, illegal TCP flag combinations. Anomalous states include illegal TCP state transitions, TCP sequence number violations, and Foreign TCP packets

Back

Stealth Activity Prevention

Port, Network, Dark Address Scan Prevention

Stealth scans are usually seen as a precursor to real attacks. These include Network Scans, Port Scans and Dark Address Scans.
Network Scans occur when an attacker scans a network to determine which hosts are responding by trying different addresses in the network. Port Scans occur when an attacker scans a network to determine which ports or services are responding from a host by different ports on the host. The attacker can use this information to subsequently attack the host or the port.
There are many IP addresses that should not appear as either a source address or destination address in an IP packet. Dark address scans occur when such addresses are used in packets. Dark addresses are also called bogon addresses. In a private network, this means undefined private addresses should not be expected as source or destination. For example, if an enterprise only uses 192.168.3.x range within its private domain, then any other private addresses such as 192.168.1.x, 192.168.2.x and 192.168.4.x-192.168.254.x are illegal. Use of these addresses means stealth activity – mostly by infected machines.
In a public network, this means all bogon-prefixes should not appear as source or destination. A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPN or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.
IntruGuard IG2000 allows you to prevent Port, Network and Dark Address Scans. By removing such packets, you clean your pipe as well as reduce possibility of future attacks.

Back

Threat Containment

Virtualization of network segments and customers to provide isolation

By segregating the network into multiple groups based on IP Address/mask, VLAN tag or MAC address, IG2000 can segregate your network. This helps in containing the threats to only the segment that’s under attack. All other traffic goes un-interrupted.
For example, if IG2000 determines that one of the groups under is under SYN flood, it will send the SYN-cookie-based response only for the group to perform anti-spoofing checks. All other groups will have no backward traffic. This helps in reducing the load on the network under attacks.

Back

Easy Deployment

Centralized alerts

IG2000 allows administrator to flexibly specify event notification to email addresses, PDAs or pagers. The administrator can define which events should be notified and at what threshold levels.
Event notification through SNMP traps allows the administrator to view the security breach events on a centralized console for multiple systems.
In addition a web-based graphical user interface allows the user to view reports on events. Some of the reports that are available for each group of segregated networks independently include top attacks, top attackers, top sources, top connections, top destinations, top scanners, top attacked services.

Role-based management and self-service portals

Each user of IG2000 has a well-defined role which can be modified by the super-user. User can be restricted in access permissions to the segregated groups, or operations. Such a role-based management is useful in Service Provider environment, where each administrator can be assigned a distinct responsibility.

Network infrastructure planning

By looking at the granular graphs of network usage for each segregated group, the administrator can see the network growth, its peaks and troughs. This information can be very useful in network infrastructure planning and growth predictions.