As traffic speeds increase and security concerns get more complex, how can anyone keep a close eye on every segment of their network? Top Layer Networks says it can help your ISP maximize the productivity of each intrusion detection system you deploy.

by Jeff Goldman [January 16, 2002]

Top Layer Networks was founded in 1997 as BlazeNet, a supplier of advanced communications technology. Two years later, the company changed its name to Top Layer Networks. With offices in 20 countries, the company now provides solutions for over 200 customers worldwide, including such service providers as Global Crossing, Exodus, and Host Pro, now part of Interland.

Joni Moore, Top Layer's Senior Director of Marketing Operations, suggests that the global diversity of the company's customers says a lot about the quality of its product. "We have a very broad customer base," she said. "The product has proven to be very effective in a lot of areas of security."

Worldwide, Top Layer's flagship solution is called AppSwitch—except in the United States, where it's known as AppSafe. "We kept on hitting up against a response of 'I buy my switches from Cisco,' and we had to explain what we were," Moore said. "It wasn't an issue overseas, so we just decided to change it to AppSafe in the United States."

Top Layer Networks 2400 Computer Drive Westboro, MA 01581 Voice: (508)-870-1300 E-mail: info@toplayer.com

According to John Parker, Senior Director for IDS Balancer, no matter what you call it, it's got as many functions as a Swiss Army knife. "It has the ability to be configured as a firewall load balancer, as a server load balancer, as an attack mitigator against denial of service attacks, a number of other quality of service-related applications, and others as well," he said.

Still, Top Layer doesn't market AppSafe as an intrusion detection system. "We don't really intend to compete with the IDS vendors out there," Parker said. "We do some forensic data gathering for some specialized purposes, but not for the more general-purpose market that the IDS vendors cover."

Instead, the company works in concert with such IDS vendors as Intrusion.com and Internet Security Systems to provide load balancing for IDS solutions, in the form of a standalone product called the IDS Balancer.

Under the aegis
The idea is simple—take one of AppSafe's many facets and market it separately, making it both cheaper and simpler to manage. A simplified GUI and straightforward setup make deployment relatively effortless. "The end result is a product that a customer can take out of the box, install, and have operating in a matter of ten or fifteen minutes," Parker said.

Put simply, the IDS Balancer allows you to maximize the productivity of every intrusion detection system you deploy. "We can use the IDS Balancer to connect to a dozen network segments, and collect all that traffic and share it among a lesser number of IDSes," he said. "So instead of having to provision a dozen different IDSes to monitor a dozen network segments, I'd do it with just a handful."

This means that you can protect network segments you might not otherwise consider, without having to deploy more IDSes. "A lot of people, when they're first starting out, think of just putting in a single IDS and being done with it," Parker said. "But the fact is that an IDS can only monitor the traffic that's on its own network segment-and attacks come from all different directions."

There's an often-cited FBI statistic, Parker notes, that says that 70 percent of attacks come from inside the typical organization. You just can't assume that all your attacks are going to come from one obvious location in the network—and if you're not looking at 100 percent of the traffic, you're missing something.

Paranoid yet? The IDS Balancer isn't just about covering more bases—it can vastly improve performance as well. "A lot of the IDSes out there have trouble keeping up with high levels of network traffic," Parker said. "As networks scale, as people deploy more Gigabit Ethernet, customers are finding that it's difficult for their IDSes to keep pace."

Load balancing can help distribute traffic to avoid overloading any single system—and the IDS Balancer can also make it easy to provide redundancy. "Let's say that we want to be able to monitor a dozen network segments and we're going to need four IDSes," Parker said. "Instead of putting in four, put in a fifth one: get some n+1 fault tolerance. At that point, I have the ability to suffer a failure without degrading my ability to monitor that traffic for attack signatures."

Finally, Parker adds, the IDS Balancer can help to focus the efforts of each individual IDS. "When I balance the traffic, I'm capable of differentiating traffic by type," he said. "I may have one group of IDSes optimized for monitoring web traffic—the IDS balance can pull off only the web traffic and send it to that particular monitor group. By separating traffic types that way, I can make my intrusion detection systems more effective."

Surety bond
Whether an ISP is using an intrusion detection system to protect its own network or to offer intrusion detection as a value added service, the setup is essentially the same—the difference lies in who's paying for it and whose traffic is being monitored. And the IDS Balancer can help an ISP do both at once.

"As the ISP, I want to ensure that my own resources are properly secured," Parker said. "I can offer those services as a value added offering to my end users by extension: I could use much of the same hardware and much of the same software, and simply allow it to monitor other parts of the network, other bits of traffic, and sell that as a service."

There are two versions of the IDS Balancer. An entry-level model with 12 10/100 Ethernet ports costs $12,000—a higher-level version with dual Gigabit Ethernet ports in addition to the 12 10/100 ports retails for $20,000. Software subscription services and other support services are available for an annual fee.

But don't let the pricing scare you—even the smallest ISPs can make of the IDS Balancer, Parker says. Even if an ISP is just deploying one intrusion detection system on its network, the IDS Balancer can help it make the best possible use of the product.

"Rather than having to buy multiple systems and locate them on each network segment that they want to be able to monitor, they can just buy a single system and then use the IDS Balancer to extend the reach of that system out to more of their network," he said. "And that's true of any size ISP, large or small."

— End