The updated network defense system now handles higher bandwidth. Among its new features, the most interesting is one click attack mitigation.

by Alex Goldman ISP-Planet Managing Editor [June 16, 2008]

This week, Lexington, Mass.-based Arbor Networks, which completed the acquisition of Ellacoya in February, announces an upgrade to product, Peakflow SP 4.5, and a new device for that product, the Threat Management System 10G.

Arbor was founded in 2000 and went to market in 2001 with Peakflow. "Arbor had a different approach," says Paul Morville, Arbor Networks vice president of product management. "Attacks were growing at such a pace that it seemed clear to us that the service provider, not the enteprise, would have to solve this problem. When a 1 Gbps attack hits a 100 Mbps pipe, you have to solve the problem in the cloud."

With the acquisition of Ellacoya, the company plans to create a unified services control architecture, but integration of the two companies and their products is still underway.

Meanwhile, the company has a major new release, version 4.5 of Peakflow.

Peakflow consists of a collection of appliances designed to provide threat management, security, and network intelligence. The devices are:

• Peakflow SP Collector Platform (CP) for edge of network data gathering
• Peakflow SP Flow Sensor (FS) for customer and hosting networks, for more data gathering
• Peakflow SP Threat Management System (TMS) looks into applications for more in depth monitoring
• Peakflow SP Business Intelligence (BI) for customer premises
• Peakflow Portal Interface (PI), a newer device that works with the GUI

The TMS 10G now handles 10 Gbps in a single box. "Last year, the biggest attack we saw was 24 Gbps," says Morville. "When we started the company [in 2001], the biggest attack was closer to 500 Mbps. We've seen an order of magnitude increase in bandwidth (nearly two orders of magnitude) in six years."

Threats are changing, too. "Threats are more targeted," says Moreville. He says service providers are concerned about web (HTTP) attacks and also DNS attacks.

There are opportunities too, Moreville says. ISPs are interested in expanding into security services or offering more security services. Ownership of the network allows service providers to offer things that consultants cannot, such as DDoS mitigation, he claims.

"If the enterprise buys outsourced security from IBM, they cannot buy DDoS mitigation. Only the upstream provider can offer that. So AT&T can offer DDoS mitigation."

New features
The new TMS device, in addition to covering more bandwidth, can detect specific attacks on HTTP and VoIP (SIP) protocols and offers complex regular expression filters. It also allows ISPs to develop complex traffic shaping rules.

"There's been a shift [in the past six years] from hacking as a hobby to hacking as a profession," says Moreville.

Rikesh Shaw, Arbor Networks director of product management for Peakflow SP, adds that botnet owners prefer targeted attacks because targeted attacks allow the botnet owner to use fewer bots, and botnet owners prefer to avoid exposing all of their bots in any one attack.

The most interesting innovation in this release, in my opinion, is the mitigation template. This allows a skilled network technician to pre-program a response to an anticipated attack, allowing a line technician in the security operations center (SOC) to activate the response with a single click.

"This can allow providers to immediately address the threat," says Shaw.

Of course providers have to be careful when they build the template. I'm reminded of the apocryphal story of the technician who wrote the perfect spam filter only to find that he was blocking 100 percent of e-mail.

"Some customers say they will never use auto-mitigation," Shaw admits. "I'd say 40 percent of service providers are comfortable with the system. One click mitigation not only reduces the operations burden but also makes it easier to get services up and running. Service providers are now able to roll out security services to all customers that in the past might have been offered only to the top tier of customers, such as banks."

Pricing and availability
Peakflow SP 4.5 and the new TMS 10G are available now. Pricing is not disclosed.

—End