IXIA ThreatArmor: how does it work

IXIA ThreatArmor: how does it work
No advertisement (unfortunately, vendor doesn't pay me for it :) ) but for technology review only: one more IXIA solution analysis.

name='more'>

There is some device provided for enterprise network implementation. It's' topological place may be external side of the network between corporate and the Internet, and the internal one behind the enterprise information security infrastructure. ThreatArmor protection is based on IP-addresses traffic filtering by source from the Internet and by destination from internal hosts.

It is a picture of TreatArmor-protected corporate network architecture.



Enterprise is on the left side and Internet is on the right one.


Let's no guessing what elements may be included in the "Existing Security Infrastructure" variety. It may be a firewall only and it may also include another components as IDS/IPS, SIEM, AntiDDoS etc.
Staying in-line ThreatArmor blocks the malicious traffic directed from harmful IP-addresses to the enterprise (Internet-attacks outside the firewall) or to harmful IP from the corporate (botnet C&C, phishing pages connections etc.  inside the security infrastructure)

There are only 2 IP-addresses categorizations in it:
  • Geographical - is used for countries blacklisting. 
  • Malicious activity.

The IP-addresses base is categorized by countries and malicious activity participation sorted by IXIA Application and Threat Intelligence Team. The base update is every 5 minutes. According to the vendor information ThreatArmor doesn't send anything to the cloud, it gets only. Unlike another information security solutions it requires minimal tuning: block or not and blocked categories selection. All other decisions are made by ATI and customer must it.
So, the device is designed for enterprise and it is positioned as:
  • Additional information security "noise-suppressor";
  • Information security time and infrastructure resources optimizer;
  • "Set and forget".
As my colleague Sergey Blinov said, service provider network may evaluate ThreatArmor advantages not for the device but for the subscription. It must meet such requirements:
  • Actual updates;
  • Aggregation ability to the ACL and BGP flowspec announcement for the entire provider network border;
  • Incremental updates without ACL recompilation;
  • ACL aggregation if possible.
The last factor may become blocking for the operator due to ACL entries number restrictions and aggregation ability in individual cases.

So, we know pluses but it is impossible to ingore some minuses.
Some possible risks in the ThreatArmor solution usage in the enterprise network:
  • Additional point of failure. In spite of bypass ability this risk is present.
  • Absolute dependence on the ATI IP-addresses base. Some percent of legitimate traffic may be blocked.
  • Of course, several undocumented features may be included in it, as in any solution.
Now you have some information for analysis but the "to be or not to be" decision for the solution usage in the enterprise network must be your own.

Alt text
История Ричарда Столмана - от любви до ненависти. Раскрыты подробности уплаты выкупа вымогателям а киберграбители взялись за цифровое искусство. Смотрите 12 выпуск security-новостей на нашем Youtube канале.

Андрей Дугин

Практическая информационная безопасность и защита информации | Information Security and Cyber Defense in Deed