Rollout: Profiler Spots Bad Guys - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:15 PM
Randy George
Randy George
Connect Directly

Rollout: Profiler Spots Bad Guys

Mazu's NBA appliance will help IT make more intelligent decisions and better react to security threats on the LAN and WAN.

More than one in four U.S. financial institutions will purchase a network behavioral analysis system this year, according to Gartner. We think that's a believable projection--after all, in this post-TJX world, what you don't know about that's accessing your network can get you fired.

CLAIM:  Mazu promises to help IT better understand how users, applications, and systems interact on both the LAN and WAN. Profiler analyzes network flow statistics and performs deep-packet inspection to reveal hidden issues that impact both service quality and security.

CONTEXT:  Mazu competes with the likes of Arbor Networks, Lancope, Q1 Labs, and Sourcefire. Mazu is a top player in the network behavioral analysis market, and its Profiler appliance is priced as such, running up to $150,000 for a typical enterprise deployment.

CREDIBILITY:  Profiler 8 is a robust network analytic product, but its security features may overlap with intrusion-prevention systems. Still, Profiler's ability to integrate with third-party network management and security tools will help IT build a comprehensive reporting and security strategy.
Network behavioral analysis, or NBA, has matured from a niche technology into a necessary element in a comprehensive security strategy, but these products aren't just for the security team: The insight they provide about users, applications, and network performance will be useful across the organization, a factor that can help make their high cost palatable.

We put Mazu Networks' Profiler to the test in our Boston Real-World Partner Labs and were impressed with its ability to alert on suspicious traffic, though we would've liked more reporting on latency, and the GUI could use polish.

The magic behind NBA products, including Profiler, is the network flow technology found in switches and routers. Cisco helped pioneer the concept with its NetFlow packet flow analysis, based on the IPFIX open standard. NetFlow records provide information that can be used to manage availability and performance and to troubleshoot problems. Extreme Networks, Foundry Networks, and others use a similar open standard, SFlow, that differs from NetFlow primarily in the way data is collected. This Layer 3 network analysis is great for a general bird's-eye view of how your network is being used, but what about security? Today, clever worms and peer-to-peer applications can hop ports, even tunnel inside traffic deemed legitimate. To beat them at their own game, you can use port and/or VLAN mirroring to send a copy of the entire packet to an NBA system like the Mazu Profiler for analysis. This way, the unique characteristics of worms and P2P apps can be detected through deep inspection. The Profiler we tested can accept mirrored traffic at full interface speed via its dual Gigabit Ethernet interfaces. However, the remote office sensor sent for review was capped at a 45 Mbps sample rate--fine for flow analysis, but not fast enough for deep packet inspection.

We placed the core Profiler collector appliance in a live production network comprising 30 edge switches and a core Layer 3 switch, all from Extreme. Before going live with our testing, we took advantage of Profiler's ability to import, in bulk, the management IP addresses of all switches and routers in our infrastructure. At the same time, we added all of the subnets on our internal network so Profiler could determine which address spaces exist inside and outside the core. Last, and most important, we let Profiler listen in on network activity for a couple of weeks to establish a baseline of normal behavior. Once the appliance has a general picture, we could turn up the device's heuristical analysis capabilities to get alerts on suspicious events.

Mazu's Profiler provides robust network analysis

Mazu's Profiler provides robust network analysis
The primary goal of the security portion of our testing was to see how Profiler reacts to today's prevalent network threats: subnet and port scanning by worms and bots. We also tested its ability to alert on P2P and IM applications and denial-of-service attacks.

Out of the box, Profiler attempts to detect attacks and threats based on a scoring system, but we could also configure granular rules and set up alerts based on almost any combination of source/destination network, host, port, application, interface, and so on. To simulate how Profiler would react to a port scan, we used nMap to execute a TCP SYN sweep against one of our file servers. Almost immediately, we received an e-mail alerting us of the scan, with a PDF attachment containing details about the attack.

We then configured a rule to watch for IM traffic on a subnet and told Profiler to warn us of attempts to create a large number of TCP/25 connections. Like clockwork, Profiler sounded the alarm when we kicked off an AIM session and when we simulated an SMTP mailbot and attempted to hijack open relays on our internal subnets.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll