Esphion

A network-based anomaly detection (NBAD) system can detect network events, which are beyond the capabilities of traditional network security systems, such as IPSs and firewalls. Some areas of specific strength for NBAD systems are distributed denial of service (DDoS) attacks, worm outbreaks, or other such anomalies manifesting themselves in the network traffic. When we talk to our customers, we recommend placement of our NBAD solution, Esphion netDeFlect(r), based on what concerns them most.

For example, if a web-hoster wants to protect their network from incoming DDoS attacks, it is important to place the NBAD system outside of their firewalls. Why? Because a firewall may filter some of the DDoS traffic. A stateful firewall will not allow any packets to pass through, which do not belong to an already established connection. An exception may be made for those packets that start a new connection, such as TCP-Syn packets to port 80, in case of a web-hoster. Since many DDoS attacks use randomized source addresses, and may use packets other than TCP-Syn on port 80 (just to continue with the simple example), the packets used in the flood may actually be blocked. It is easy to see that this is not a sufficient defense, since the access links are already filled up, or the firewall may be overloaded. For the web-hoster, it is important to detect the attack quickly, and to get detailed filter recommendations, which can then be passed on to the upstream equipment for more efficient filtering.

If the NBAD solution would have been deployed behind the firewall, it would not have seen the anomalous traffic at all in this example. Therefore, if you want to detect incoming DDoS attacks, the anomaly detection solution should be placed outside of the firewalls, where we can be sure that we get complete insight into all the traffic.

The story is entirely different for someone concerned about the detection of worm outbreaks in their network.

As I discussed in previous postings, a worm may appear in the network at any time and at any place. The biggest threat is what has been known as the dissolving perimeter. With the dissolving perimeter, we cannot rely solely on perimeter defenses, such as firewalls and IPSs. The ubiquity of mobile devices, or extranet connections that need to be provided to business partners, or the presence of wireless access points - all of this causes more and more poorly defined demarcation lines between 'trusted' and 'untrusted' parts of the network space.

In my posting about network self-vaccination, I tried to point out that we need an adaptive security system, which can detect if something happens within the network and that allows the network to adapt and defend itself. Therefore, if the detection of worm outbreaks is important then the NBAD solution should be deployed deep within the network. That is where a worm will start to scan or spread, and that is where it needs to be detected. The same firewall that might block incoming DDoS traffic might also block outgoing scans of the worm. Therefore, an NBAD solution that is placed outside of that firewall will only have limited success in detecting an internal worm outbreak.

To sum it all up: NBAD is a great way to detect some of today's most pressing network and security impacting events. However, choosing the right place to deploy them is important: For DDoS attacks, deploy outside of the firewalls. For worm outbreaks, deploy deep inside of your network.

Juergen Brendel
CTO
Esphion Ltd.