Got IPv6?

IPv6 support

???????????????????Many organizations are transitioning to IPv6 because it allows the address space to be managed more easily. One thing is for sure, hackers are on top of it; they are already serving Malware from IPv6-capable servers! It is therefore imperative that all the security software be IPv6 capable in order to avoid glaring security holes.

When it comes to IPv6 most people put the blinders on. Most security policies really just ignore it because it is not main-stream. But you can be sure that whatever is being ignored can be used against you. Ipv6 tunnels are proliferating and usually not monitored at all. They can easily be used to have a data exfiltration super-highway out your network.

The MetaFlows Security System can now work on both IPv4 and IPv6, without gaps in your security.

A Very Expensive Lesson in Malware Protection

The attack on credit card numbers through Target has made many realize that network security, malware, and password protection needs to be taken more seriously. According to the article below, the two major factors in this data breach were 1. undetected malware that was able to scan credit card numbers in the real time, and 2. simple/default passwords that were never updated (especially not in accordance with PCI regulations). Both of these issues have seemingly easy fixes: For the Malware, get something that uses not just signature but behavioral detection and gives analysts real-time analysis (oh hey, what do you know, the MetaFlows Security System does all that, and more!). For the passwords it is a bit trickier. This requires staff training and individual memories the size of elephants in order to remember the hundreds of passwords we use nowadays. But with some staff education on the importance of keeping passwords up to code, and perhaps some mnemonic tricks, the world can be a safer place.

IT Weaknesses Paved the Way for Target Hackers

The Next Layer of Defense is Here!

The researchers from the article below “…expect their findings to be beneficial to enterprises and other organizations in developing the next layer of defense.”

The next layer of defense is already here. The MetaFlows Security System uses behavioral analysis (along with the traditional signature detection) in order to catch even the stealthiest of Malware. It can even catch things that were in the network before it was deployed!
Read the TechNewsWorld article below to find out more about why, regardless of company size, having the most intelligent network protection is key. Then go to www.metaflows.com to find out how to get the most intelligent network protection.

The Never Ending Cycle of Prey and Predator: The Malware War!

Malware is not new and yet ever-evolving. Companies need to strengthen security practices and tools in order to stay ahead, or at the least, stay in the game! With attacks and costs sharing an rising trajectory, information security should be the top of every IT director’s list. Read about it from the perspective of a CSO:

Malware: War without End

Find out how the MetaFlows Security System is keeping steady in the war against Malware and defeating enemies with innovative and cost efficient technology!

WakingShark II: Stress Testing the City of London

The City of London underwent a massive cyber attack- on purpose! In a great feat of preemptive security hundreds of people, from hackers to holy grail financial institutions, participated in a collaborative attack to test various organizations and government institutions’ preparedness. More cities and organizations should be testing their mettle in such a way.

Waking Shark II – Stress Testing the City of London

 

 

See how the MetaFlows Security System can put your network to the test. Find out what you are not seeing in our Free 14 Day Trial.

Security and The Internet of Things

In a world where, increasingly, EVERYTHING is linked together by internet, bluetooth, and technology at large, security is at its utmost importance. However- and who is to say whether we choose ignorance as bliss or just are too trusting- many do not even realize how much of their private lives are basically on a buffet table at a party hosted by Internet.

An interesting look at the expansion and effects of “The Internet of Things.”

Insecurity and the Internet of Things Part 1: Data, Data Everywhere

Feature Spotlight: Global Enterprise Solution

Global Enterprise Solution

The MSS Global Enterprise (MSS GE) is a complete turn-key security system intended for large Enterprise or Government networks, and includes advanced Malware/Botnet detection, Intrusion Prevention, Log Management/SIEM, and integrated vulnerability assessment. The MSS GE controller can be deployed either as a high performance Appliance (starting at 1200 Events/Second) or as an Amazon EC2 instance (AMI). The MSS GE sensors can be easily provisioned on off-the-shelf hardware (up to 10 Gbps per sensor) running Linux CentOS/RedHat, high-performance Appliances, VMware or on Amazon EC2.

ges image

Web Security Console

  • Real Time SIEM, Flow & Log management
  • Multi-user Online Collaboration
  • One-click Remediation
  • Highly Customizable
MSS GE Controller

  • Deploy as an Appliance or as an Amazon EC2 Instance
  • Predictive Event Correlation quickly finds Malware
  • Centralized Sensor Provisioning
Daily Intelligence Feeds

  • Behavioral Malware Detection
  • Zero-day/APT Intelligence
  • Vulnerability Scanning
  • Geo-location Intelligence

 

False Positives: A Contradiction Most Annoying

False Positives are the thorn in the backside of every IT security professional. The following article does a good job of breaking them down and explaining some of their greater risks.

The Impact of False Positives

 

False Positives are all but eliminated by the MetaFlows Security System. A fact that seems to good to be true, but is made totally possible by innovative technology!

Old Dog, New Tricks: Reengineering Human Behavior Can Foil Phishing

No, UPS does not have a package waiting for you and that prince in Nairobi does not really want to give you $50,000, no matter how well thought out his plan is.

The article below details how, with just a bit of training, even your typical end-user can become more savvy and avoid those pesky phishing emails, thus saving your network from nonsense.

Reengineering Human Behavior Can Foil Phishing

Find out how the MetaFlows Security System, by utilizing Network Level AntiVirus and an Internal File Carver, can notify on and prevent pesky phishing scams.

And Now For Something Completely Technical: PF Ring 10 Gbps Snort IDS

You can always visit the MetaFlows Website for more information.

PF_RING based 10 Gbps Snort multiprocessing

Tested on CentOS 6 64bit using our custom PF_RING source

PF_RING load balances network traffic originating from an Ethernet interface by hashing the IP headers into N buckets. This allows it to spawn N instances of Snort, each processing a single bucket and achieve higher throughput through multiprocessing. In order to take full advantage of this, you need a multicore processor (like an I7 with 8 processing threads) or a dual or quad processor board that increases parallelism even further across multiple chips.

In a related article we measured the performance of PF_RING with Snort inline at 1 Gbps on an I7 950. The results were impressive.

The big deal is that now you can build low-cost IDPS systems using standard off-the-shelf hardware.

You can purchase our purpose-built Hardware with MetaFlows PF_RING pre-installed, giving you a low cost high performance platform to run your custom PF_RING applications on. If you are interested in learning more, please contact us.

In this article we report on our experiment running Snort on a dual processor board with a total of 24 hyperthreads (using the Intel X5670). Besides measuring Snort processing throughput varying the number of rules, we also (1) changed the compiler used to compile Snort (GCC vs. ICC) and (2) compared PF_RING in NAPI mode (running 24 Snort processes in parallel) and PF_RING Direct NIC Access technology (DNA) (running 16 Snort processes in parallel).

PF_RING NAPI performs the hashing of the packets in software and has a traditional architecture where the packets are copied to user space by the driver. Snort is parallelized using 24 processes that are allowed to float on the 24 hardware threads while the interrupts are parallelized on 16 of the 24 hardware threads.

PF_RING DNA performs the hashing of the packets in hardware (using the Intel 52599 RSS functionality) and relies on 16 hardware queues. The DNA driver allows 16 instances of Snort to read packets directly from the hardware queues therefore virtually eliminating system-level processing overhead. The limitation of DNA is that (1) supports a maximum of 16x parallelism per 10G interface, (2) it only allows 1 process to attach to each hardware queue and (3) it costs a bit of money or requires Silicom cards(well worth it). (2) is significant because it does not allow multiple processes to receive the same data. So, for example if you run “tcpdump -i dna0″, you could not also run “snort -i dna0 -c config.snort -A console” at the same time. The second invocation would return an error.

GCC is the standard open source compiler that comes with CentOS 6 and virtually all other Unix systems. It is the foundation of open source and without it we would still be in the stone age (computationally).

ICC is an Intel proprietary compiler that goes much further in extracting instruction- and data-level parallelism of modern multicore processors such as the i7 and Xeons.

All results are excellent and show that you can build a 5-7 Gbps IDS using standard off-the-shelf machines and PF_RING. The system we used to perform these experiments is below:

The graph above shows the sustained Snort performance of 4 different configurations using a varying number of Emerging Threats Pro rules. As expected, the number of rules has a dramatic effect on performance for all configurations (the more rules, the lower the performance). In all cases, memory access contention is likely to be the main limiting factor.

Given our experience, we think that our setup is fairly representative of an academic institution we have to admit that measuring Snort performance in the absolute is hard. No two networks are the same and rule configurations vary even more widely, nevertheless, the relative performance variations are important and of general interest. You can draw your own conclusions from the above graph; however here are some interesting observations:

  • At the high end (6900 rules) ICC makes a big difference by increasing the throughput by ~1 Gbps (25%)
  • GCC is just as good at maintaining throughput around 5 Gbps
  • PF_RING DNA is always better than PF_RING NAPI.

We describe below how to reproduce these numbers on Linux CentOS 6. If you do not want to go through these steps, we also provide this functionality through our security system (MSS) pre-packaged and ready to go. It would help us if you tried it and let us know what you think.