|
Many critical performance differentiators of NitroSecurity's Active Intrusion Prevention Systems (IPS) are attributable to the high-speed aggregation and correlation engine used within each NitroSecurity IPS, Management Console, and Enterprise Security System (ESS). The performance contribution of the security aggregation and correlation engine can be either direct or indirect depending on the IPS function being considered. A direct contribution means that the capabilities supplied by the security aggregation and correlation engine provide a key, direct benefit to performance. Indirect performance benefits mean that the security aggregation and correlation engine does directly support the function but supports peripheral areas, which in turn improves overall performance.
The development of the security aggregation and correlation engine began in 1983 at the US Government Department of Energy's Idaho National Engineering Laboratory. In the government arena, the aggregation and correlation engine was known as Sage/AdaSAGE, was in development for 275 staff years and for over 16 years in the national laborator y. Sage/AdaSAGE has received over $30M to support development costs, has earned numerous awards, and enjoys acceptance by the Department of Defense and Energy where it has been included in thousands of systems. Commercialized through NitroSecurity in 1999, it underwent further major enhancements by the original developers covering 10 more staff years. NitroSecurity was awarded a patent for the aggregation and correlation engine's unique indexing methods in 2002.
NitroSecurity's Active IPS are network bridges implemented on an Intel Linux platform, using in-line Snort as a signature detection engine, iptables as a firewall, and the worlds fastest and highest performing security aggregation and correlation engine for data management and real-time analysis functions. The purpose of the NitroSecurity Active IPS is to detect and prevent intrusion attempts, block unwanted traffic, and act as a source of network information. The advantage of embedding the NitroSecurity security aggregation and correlation engine into the IPS, turns the device into an intelligent security information appliance rather than just a networ k protection and data collection device. The security aggregation and correlation engine has the ability of executing as an "in-memory" database at speeds of 100 to 1,000 times that of any competitive product by significantly increasing security management performance. Its speed of insertion and ability to return real-time statistics/queries up to 1,000 times faster than even enterprise systems contributes directly to anomaly detection, alert packet storage and indirectly to the ability of the signature detection and firewall engines to perform. No other IPS on the market embeds a security aggregation and correlation engine on the device.
The NitroSecurity Active Intrusion Prevention System uses the open source product, inline Snort, as a signature detection engine. The NitroSecurity team has improved the Snort engine itself to perform signature detection that functions more rapidly than the original code.
The aggregation and correlation engine is used to store alerts generated by the Snort engine in a compressed form as well as storing packets of interest. Compression will normally reduce the number of alerts by hundreds or thousands of times with some alerts being compressed at a ratio of 1 to 500,000.
Products without a real-time aggregation and correlation engine are forced to store all alerts in an uncompressed manner, which rapidly uses up disk storage on the device and clogs the communication line as the alert information is transmitted from devices to the analysis console for analysis and reporting.
Anomaly detection is either non-existent or still in its infancy in many intrusion prevention devices. IPS companies are now beginning to emphasize this area as intrusion prevention technology matures. The NitroSecurity Active IPS uses information stored in the aggregation and correlation engine to provide various anomaly detection features. Only the NitroSecurity aggregation and correlation engine can store and retrieve information at the rates needed for enterprise scale intrusion prevention.
Other techniques are being used that take much longer to develop, incur costly maintenance, and are not as flexible or universal. Some companies attempt to overcome this shortcoming by positioning anomaly detection analysis on their central management console. The time lag to respond using this technique is obvious. The advantage of NitroSecurity's security aggregation and correlation engine will be further highlighted as NitroSecurity moves into the future with additional anomaly detection/reaction methods and features such as connection tracking which provides the ability to track information on every packet that traverses the network.
|
