Two recent start-ups -- Asta Networks and Arbor Networks -- sell anti-DoS solutions but take a slightly different approach to attack mitigation. Their products perform data analysis on abnormal traffic patterns and act as advisers on how to fix any problems that are identified. The products' lack of automatic mitigation (not necessarily a bad thing) kept them out of our comparative review, but we still had a chance to test the solutions, Arbor's Peakflow DoS 1.5 and Asta's Vantage System Enterprise 2.0.
Both products use a multiple-distributed-sensor and management-system topology, letting them collect information from many collection points and process it all to form the big picture. Both receive information from infrastructure equipment capable of sending NetFlow data streams, typically Cisco Systems and Juniper Networks routers. However, Arbor and Asta also have alternate data-collection means available, because enabling NetFlow on moderately used equipment could affect performance.
Traffic-analysis tools like those from Asta and Arbor are great because they are unlikely to miss an attack -- anything out of the ordinary is logged for review. The downside is that, well, everything out of the ordinary is logged for review, whether the anomaly has legitimate or suspicious origins. This could lead to false alarms and an increased workload for administrators needing to verify each anomaly, but it's a price you may be willing to pay to catch even the smallest, smartest and stealthiest DoS attacks of today and tomorrow.
Arbor Networks Peakflow
Being the geeks that we are, we cracked a rather large smile when Arbor's Peakflow test rig arrived. It comprised a large, mobile equipment rack stuffed with Dell Computer Corp. systems and Cisco devices. Granted, it was a fully self-contained demonstration lab meant more for trade-show use, but gear is gear, and the more the merrier.
First, Peakflow has the best traffic-analysis interface of all the products we tested. The underlying OS, ArbOS, is a derivative of the rough and tough OpenBSD operating system. The company has gone with a Web-based GUI using straight HTML -- no Java applets or JavaScript. While this means no real-time graphs, Peakflow is still quite usable.
The biggest strength is Peakflow's traffic-breakout analysis -- as it should be, since this is the main product value. During a traffic anomaly, Peakflow will show grouped breakouts of a large number of traffic characteristics. The admin's job is to scroll through the list, pick the criterion that appears anomalous, then click a button, which results in generated ACLs for Cisco or Juniper routers. After a final review, the ACLs are installed by the admin on the proper router, and life is good. We hope.
The downside to this approach is that it requires the user to be somewhat fluent in TCP/IP basics and to have a basic awareness of how DoS attacks work. But the strengths are apparent: Users with even an average working knowledge of network protocols will be able to wrangle and mitigate even the most obscure attacks. Peakflow equips the user with massive amounts of highly organized information, which allows him or her to efficiently analyze the problem and formulate an accurate solution right on the spot.
Peakflow DoS 1.5, starts at $130,000 for an enterprise deployment. Arbor Networks, (866) 212-7267, (781) 684-0900; fax (781) 768-3299. www.arbornetworks.com or solutions@arbornetworks.com
Asta Networks Vantage System Enterprise
Asta comes to the table with its Vantage System. We actually reviewed a beta version of the smaller Vantage solution, the Vantage System Enterprise. The product will ship in the first quarter of 2002. The normal Vantage System comes preinstalled on various hardware units, which are deployed at particular points on your network. Vantage System Enterprise is a "lite" version; it is installed on a user-owned Red Hat 7.1 Linux system. Vantage System Enterprise is meant to be more of a personal, portable traffic-analysis tool, making the power of Vantage System's data-analysis engine available for more everyday traffic analysis needs.
While it appears to be the next generation in network monitors, administrators can use the detailed traffic breakouts and reports provided by the Vantage System Enterprise to better understand traffic abnormalities and arm themselves with information needed to coordinate with infrastructure engineers and upstream ISPs to mitigate DoS attacks. Unlike a conventional network monitor, however, Vantage System Enterprise is less portable because of its dependence on NetFlow. You can't just plug it in anywhere you please and expect it to give you traffic analysis.
Even so, Vantage System Enterprise provides many data-analysis features that make it a worthwhile consideration. Its attack-analysis tools are definitely top-notch, with the system even making countermeasure recommendations, and providing short- and long-term trending and a search interface to stored traffic.
Vantage System Enterprise 2.0, starts at $8,000. Asta Networks, (866) 661- 2782, (206) 264-2444; fax (206) 264-1888. www.astanetworks.com or sales@astanetworks.com
You Have to Ask Yourself, 'Do I Feel Lucky?'
When evaluating Arbor's Peakflow or Asta's Vantage System versus the tools we tested in this review, ask yourself, "Do I want a device that handles attacks on its own, or do I want to dedicate staff time to mitigating attacks using traffic-analysis tools?"
Sometimes dealing with small, simple DoS attacks (like single-source SYN floods) is easy but can absorb a significant number of man-hours if you're not properly prepared. A device like the FireProof or CaptIO may catch many of these annoyances automatically, but they definitely won't catch everything, and their methods of automatically mitigating attacks may not be the best course of action. Thus, which solution you choose must reflect your available incident-response resources as well as your technological topology. But whatever the choice, you will definitely be better prepared the next time a DoS attack comes knocking on your door.
REPORTS
ANALYTICS
Follow 
