Top Layer AppSwitch: Intrusion Detection in Depth

Remember those commercials from that company which tell you that the company doesn't make "things," they make "things" better? That is what I am reminded of when I think of the AppSwitch hardware from Top Layer (http://www.toplayer.com). The AppSwitch isn't the intrusion detection system (IDS) that I would buy to protect my network (even if Information Security Magazine paid me really well!); it's the IDS that I might buy to protect the IDSes protecting my data center.

FIGURE: The placement of the AppSwitch in the network to protect both Internet and intranet.

Top Layer, founded in 1997, started by building a hardware device for application traffic management. To do this well, they needed to be able to look inside the application layer data to make decisions with respect to quality of service and traffic management. These same capabilities have been brought to the security marketplace with their flagship product, AppSwitch/AppSafe 3500 (AS 3500). The AS 3500 is a hardware device that performs four primary functions:

• IDS flow mirroring
• DoS/DDoS attack mitigation
• Firewall load balancing
• Complete data collection

Let's start with flow mirroring. The AS 3500 doesn't do the traditional signature- or anomaly-based intrusion detection, but instead does some initial attack detection and filtering, and distributes protocol traffic to other "traditional" IDS that might be better suited to particular tasks. The AS 3500 flow mirroring capability is particularly built for performance, availability, and scalability. With 10/100 and Gigabit Ethernet interfaces, its primary role is to capture all traffic for approximately real-time analysis. Most IDSes are passive devices that will drop packets when the load gets too much for them; the AS 3500 was built for speed and can handle up to 1.5 million packets/second. It ensures that packets don't get dropped by capturing flows of traffic and distributing a copy to a downstream IDS.

The AS 3500 concept of a flow is similar to that of IP version 6 (although there is no relationship to IPv6 that I know of). A flow is a particular conversation between two IP hosts. Thus, if a single host on the Internet is connected to both your Web server and FTP server at the same time, that would be seen as two different flows. This is significant because you might want to use a specialized IDS to protect your Web server farm and another specialized IDS to protect your FTP server farm.

Attack mitigation is another feature of the AppSwitch. As the picture shows, the AppSwitch is intended to sit between the Internet and the firewall to protect the network. The AS 3500 has a standard set of attack filters to detect and block attacks such as Smurf, Land, and FTP bounce attacks. Second, it has a set of connection-based, stateful filters to detect and block such attacks as SYN floods, as well as to block unsolicited inbound ICMP Echo Responses, a common way in which many DDoS agents and daemons communicate.

The AS 3500 provides DoS attack mitigation by assessing the threat level based upon the number of incomplete TCP connections. As long as the number is nominal, the AS 3500 assumes that all is well. If the number reaches a "suspicious" level, the AS 3500 can dynamically act as a proxy for the intended destination, prepared to "take a bullet for the server." If a "critical" level is surpassed, the 3500 can block all incoming packets from a particular IP address. To mitigate DDoS attacks, similar protection is provided if there are too many connections to a particular IP address.

The AppSwitch also provides a firewall load balancing capability whereby the 3500 can direct traffic to more than one firewall. A single firewall can become a network access bottleneck as interface speeds get faster, traffic load increases, and/or the firewall rule set grows. Multiple firewalls can alleviate this problem but they can miss certain attacks since a single firewall might not be able to see the complete traffic picture. The 3500 helps balance the load by distributing traffic to multiple firewalls on a flow-basis so that the firewalls are optimally examining traffic.

Finally, the AppSwitch includes SecureWatch data collection for intrusion analysis and attack forensics. The SecureWatch software collects sufficient information about all of the traffic through the AppSwitch that detailed records of all connections can be subsequently reconstructed. The TopFlow protocol is used between the AppSwitch and a SecureWatch agent to create a database from which a complete history can be replayed, allowing an analyst to later correlate the traffic with a particular security event or obtain a log for forensics purposes. This capability provides another important tool for the IDS community trying to reproduce large-scale incidents to learn about new attacks. SecureWatch agents are available for SQL Server (running on Windows 2000 Advanced Server), syslog, Check Point ELA, Cisco NetFlow, and WebTrends log file formats; Oracle support is expected in the fall, 2001.

One of the mantras of computer/network security today is "defense in depth." The Top Layer AppSwitch represents IDS in depth. Their target market is the Internet data center, either a large server farm host or a large enterprise server network. The intent is that the AppSwitch provides overall protection for the network and that individual components within the network then provide their optimal level of service. Priced in the $14,000-30,000 range, the AppSwitch can still provide a cost-effective solution; in a Web host collocation environment, for example, you might need one traditional IDS per customer whereas the AppSwitch may allow the host to use a single 3500 and just a few traditional IDSes. The AppSwitch 3500 is compatible with ISS RealSecure, Check Point Firewall-1, Network Flight Recorder, Cisco NetRanger, and Symantec NetProwler.

ABOUT THE AUTHOR: Gary C. Kessler is an Assistant Professor and program coordinator of the Computer Networking major at Champlain College in Burlington, Vermont, and an independent consultant and writer. His e-mail address is kumquat@sover.net.