Startup FireEye is introducing a network access control appliance that monitors network traffic to discover and block malicious traffic aimed at Windows 2000 and Windows XP desktops.
Called FireEye 4200, the device works in two phases, first to identify traffic that diverges from normal in some way and second to run that traffic through virtual machines on the appliance to see whether it is actually an exploit. Proving the traffic as malicious on the virtual machines prevents false positives, says company founder, President and CEO Ashar Aziz.
If so, the device can be configured to perform one of three defensive options. It can reassign the offending machine to a quarantine VLAN, shut down all network access by blocking the switch port it is attached to or create virtual access control lists for the port to block the traffic that has been identified as malicious but to allow all other traffic from the machine generating it.
It takes somewhere between seconds and tens of seconds from the time malicious traffic is picked up and when the appliance takes action to isolate it. FireEye 4200 machines are attached to spanning ports or test access ports (TAPs) so they are not in line with traffic and so do not introduce delay as they seek harmful packet flows.
While the time it takes to discover an exploit gives the exploit time to unfold on the production network, it still discovers malicious behavior in time to curb an attack, says Fred Archibald, network manager for the Electrical Engineering and Computer Science Department at the University of California at Berkeley. The department has beta tested the device and is installing it to protect its wireless network. "It's going to limit how much damage [an attack] can do," he says. "It's a concern, but we feel it will give us at least an additional measure of protection."
He says he was testing InfoExpress CyberGatekeeper gear that checks computers for compliance with security policies based on a scan of the device performed by a software agent. He says members of the department opposed the agents because they had too many rights on the host machine. They were concerned that if the agent were compromised, it could be used to steal proprietary data.
Archibald also says endpoint checking doesn't necessarily mean a device is not a threat. Zero day attacks and delay updating signature libraries can leave devices open to infection. "Signature-based security was a little bit daunting for keeping it up to date," he says.
FireEye also competes against ConSentry and Nevis whose devices scan network traffic from switch monitoring ports and shut down badly behaving machines, says Scott Crawford, an analyst with Enterprise Management Associates. He says the virtual machine component of FireEye is unique as far as he knows.
FireEye 4200 communicates with switches via SNMP, XML over HTTP, and via command line interface with Cisco switches. It can also employ custom scripts to talk to switches if other methods don't work, the company says.
While the virtual machines only check for exploits against Windows 2000 and XP desktops, the company says it may later set up server-class versions. The more pressing need is to protect LANs from infected machines, particularly laptops that come and go from networks, the company says.
The device does not authenticate machines or users, nor does it scan them for whether they have an acceptable security posture. But it can work in conjunction with other NAC schemes that authenticate and perform endpoint checks.
Setting up an appliance entails assigning it an IP address, attaching it to a switch (the appliance has six 10/100/100 copper Ethernet ports) and setting what the customer wants the machine to do with malicious traffic once it finds it.
According to Aziz, the device is set with a low threshold for what it considers anomalous traffic, which it then runs through the virtual machines. This sensitivity is designed so the appliance doesn't miss subtle or slow-developing attacks, he says. Once an exploit is discovered, its pattern is stored as a signature to check against future traffic with the aim of finding a recurrent exploit faster on subsequent attempts.
FireEye 4200 is available now and costs US$30,000.