A new version of Mazu Networks Inc.'s Profiler network traffic analysis product, released on Monday, can spot unauthorized network activity and track applications that use so-called "ephemeral ports," which pose a security risk to companies, the network security company said.
The new features in Mazu Profiler Version 3 come as vendors battle for dominance in a small but growing market for network profiling tools and broaden the appeal of their products to address more than just security concerns, according to industry experts.
The release is the latest edition Profiler product, which collects information from a distributed network of passive monitoring devices and uses statistical analysis and heuristics to profile network connections, Mazu said. The end result is a detailed picture of network behavior that allows administrators to spot unusual activity without relying on intrusion detection signatures or antivirus definitions, Mazu said.
That kind of picture is increasingly important given the proliferation of interdependencies between applications, which have grown with the Internet, according to according to Chris Mac-Stoker, a principal consultant at ThruPoint Inc. in New York, which provides services to financial and pharmaceutical firms.
"Large financial services companies can't tell you what (their applications) do," he said. "You have a database server talking to a Web front end server and a back-end mainframe server. Before you know it, you have seven applications linked using custom software and middleware."
The new version of Profiler improves features for creating use and access policies for the network. For example, administrators can create rules that will generate warnings if traffic is occurring between two network segments that aren't supposed to be communicating, the company said. Profiler Version 3 also comes with improved reporting capabilities for forensic analysis of compromised networks, the company said.
Profiler 3 also contains features that enable administrators to track FTP (File Transfer Protocol) servers that do not rely on a predefined communications port. These "ephemeral" ports can make FTP applications difficult to track and monitor.
While that feature is nice, Mazu customers might be more excited if Profiler 3 could also spot other applications that use the same ephemeral port scheme, such as peer to peer (p-to-p) file sharing applications, said Dan Keldsen, senior analyst and director of Information Systems at Delphi Group.
Profiler and similar technology from Arbor Networks Inc. are attractive to financial services and media companies, which lose money when trading systems or online services are slowed, according to Eric Ogren, a senior analyst at Yankee Group.
Many of ThruPoint Inc.'s customers, mostly large financial services companies, are evaluating the new profiling technology from Mazu, Arbor and others. However, none of them are using the products in production, Mac-Stoker said.
A feature "shake out" between leading vendors such as Mazu and Arbor and indecision about IT staffing within the companies is largely to blame, he said.
ThruPoint's customers are waiting to see which network profiling products develops the best features for automatically identifying and visualizing network traffic -- a sore point for financial services companies, which often have thousands of hard-to-identify custom applications running on their network, Mac-Stoker said.
Organizations are also holding off on purchases while they weigh whether to outsource key network functions such server management and network IDS. With fewer IT staff and more outsourced network applications, companies might be more inclined to invest in profiling technology like Mazu's, Mac-Stoker said.
"After...outsourcing, IT staff will want to focus on the stuff they own, which is their network traffic, " he said.