Sentriant® NG300 - Extreme Networks

Extreme Networks Data SheetSentriant ® NG300Sentriant NG300 is a security appliance thatcomplements existing perimeter and endpointsecurity solutions in securing the network interioragainst rapidly propagating threats including Day-Zeroattacks. Sentriant NG300 is designed to provide:Sentriant NG300 protects your network from rapidlypropagating Day-Zero threats.Detect and Deceive Threats Early• Create a network of virtual decoys in the unused IPaddress space as an early warning system that alerts youwhen a virtual decoy is contacted• Mimic basic responses to TCP, UDP, and ICMP requests,and make it difficult for a hacker to determine whichdevices are real and which are not—allowing validmachines to hide among virtual decoysMitigate and Slow Down ThreatsPrecisely• Isolate the source of attacks and prevent them fromcommunicating with the remainder of the network• Actively engage an attacker during the network reconnaissancethat generally precedes a threat and dramatically slowdown the attackHigh Availability Multi-GigabitCoverage®• CLEAR-Flow technology in ExtremeXOS switches detectsand mirrors just the threatening traffic to Sentriant NG300,allowing higher line rates of inspection and mitigation• Detect and actively defend against threats without interferingwith network traffic; Sentriant NG300 is not an inlinedevice, therefore cannot be a bandwidth bottleneck orpoint of failure• Continuous monitoring of all endpoints asthreat sources launching internal attacks• Deep analysis of suspicious traffic withoutimpacting the operation of live networks• Rapid enforcement of mitigation actions againstthreat sources across the EnterpriseSentriant NG300 uses behavior-based threatdetection methods (no signatures, no traffic samplingas in sFlow ® ) to detect threats––including new threatsfor which no signatures exist at the time of attack. Italso includes a sophisticated early warning systemthat employs unused IP space to identify threats.Sentriant NG300 incorporates an aggressive protocol—independent, automated threat termination technology.This technology does not use software desktop agents,TCP resets, or switch-dependent VLAN shunting toisolate an infected endpoint. Sentriant NG300 is apowerful threat detection and mitigation solution onits own. And when it is used with CLEAR-Flow SecurityRules Engine available in ExtremeXOS switches, asingle Sentriant NG300 can protect multi-gigabitnetworks.Sentriant NG300 is not an inline device, creates noperformance impact to networks, and cannot jeopardizenetwork availability––even while the network isunder attack.Protect your network from:• Viruses/Worms: Zotob, Sasser, Welchia, SQLSlammer, Blaster MyDoom and others• Denial of Service (DoS): IP spoofing, MACspoofing, smurf, ping of death, ping sweep, pingflood, port sweep, SYN Flood, TCP Xmas, Syn/Fin, Null, All Flags• Day-Zero, Multi-Vector, blended attacks,polymorphic viruses• Targeted attacks on IP Telephony devices© 2008 Extreme Networks, Inc. All rights reserved. Sentriant NG300—Page 1

Extreme Networks Data SheetDetect and Deceive Threats Early````Delivers fast detection with a network of virtual decoys creating an early warning system that fires an alert when a virtualtarget is contacted.Detect Threats EarlyOn a typical network that uses private IPaddress space, as much as 80% ofIP address space is unassigned.Sentriant NG300 uses this asset toidentify threats as shown in Figure 1.Since most worms must conductreconnaissance to spread, there is a highprobability that worm activity will hit thevirtual decoys in the unused IP addressspace. Therefore, administrators have amuch better chance of being alerted tomalicious activity quickly, giving themmore time to respond.Sentriant NG300 listens to packet activitywithin a broadcast domain and uses itsreal-time map to verify packets are onlysent between known, real hosts.Reconnaissance packets sent by anattacker always “miss” some real host IPaddresses. The packets sent to unused IPaddresses generate ARP requests by thehost or gateway. If ARP requests aredetected but ARP replies are not, thisindicates reconnaissance. Sentriant NG300tracks requests to unused IP addresses andassesses their source for threat potential.Active DeceptionActive Deception is a unique technologythat Sentriant NG300 employs with theunused IP address space. Sentriant NG300pre-populates the network with “virtualdecoys” that occupy the unused IP addressspace. Using these virtual decoys,Sentriant NG300 will respond to attacktraffic sent to a virtual decoy with legitimateresponses. Threats waste valuabletime trying to infect computers that are notreally there. Meanwhile, Sentriant NG300gathers valuable information about thenature of the attack, the ports and protocolsit uses, the type of service it is trying toexploit, and the source of the attackpackets and reports this information in theSentriant Console Manager.Sentriant NG300 also provides false dataabout the network topology in order todeceive fingerprinting-malware designedto provide precise data about operatingsystems and application versions presenton a network. This deception makes itdifficult for the malware to attack thenetwork effectively.Behavior Based ThreatDetectionSentriant NG300 uses behavior-basedthreat detection methods (no signatures,no traffic sampling as in sFlow) to detectthreats––including new threats for whichno signatures exist at the time of attack.Sentriant NG300 ships with a set ofbehavioral rules that are used to detectreconnaissance, bad packets, Denial ofService (DoS) attacks, targeted attacksagainst IP Telephony devices and protocolviolations. Administrators can createadditional custom rules in their environmentif required. The combination of virtualdecoys, active deception and continuoustraffic monitoring against the behavioralrules results in very fast detection ofthreats in the network.Unused IP SpaceValid ConnectionUsed IP SpaceReconnaissance!Virtual Decoys!`!!Virtual DecoysFigure 1: Unused IP Space Becomes an Early WarningSystem to Identify Threats© 2008 Extreme Networks, Inc. All rights reserved. Sentriant NG300—Page 2

Extreme Networks Data SheetMitigate and Slow Down Threats PreciselyIsolate the source of attacks and prevent them from communicating with the remainder of the network.CloakingSentriant NG300 can logically insert itselfin between one or more attackers andone or more target devices by redirectingcommunication streams from theattackers to itself. Sentriant NG300 canthen selectively pass or silently droppackets based on their threat potential,thereby, isolating infected computerswhile permitting all other communicationto flow normally on a network. Thisprocess called Cloaking occurs at bothLayer 2 and Layer 3 of the Open SystemInterconnection (OSI) reference model.What makes the Cloaking unique amongall other threat prevention technologiesin the security networking marketplace,is that it is fundamentally a Layer 2detection and mitigation technology.Cloaking works by using the ARP protocol,to force attacking computers to redirectattack packets to Sentriant NG300 andaway from their intended targets. Cloakingis transparent to the network because itworks with any type of Ethernet connecteddevice. Cloaking is client-less because itrequires no endpoint software to operate.All Sentriant NG300 rules define a responseaction of either Track or Cloak. Trackallows manual cloaking through the SentriantConsole Manager and Cloak performsautomatic cloaking when the rule triggers.Snaring/Slow ScanSentriant NG300 can also actively engage anattacker during the network reconnaissancethat generally precedes a threat, dramaticallyslowing the scanning process as shown inFigure 2. This gives administrators enoughtime to understand and thwart the attack.Snaring/Slow Scan is one of the uniquetechnologies that Sentriant NG300 uses tostop rapidly propagating threats. Oncedetected, Sentriant NG300 “snares” thethreat by engaging it in a legitimateprotocol exchange.Snaring operates by engaging in the TCP3-way handshake during a connectionattempt of an attacking thread.Sentriant NG300 sends responses fromvirtual decoys that set the TCP windowsize to zero, forcing attackers to send onlyone packet at a time, thus stopping theattacker from bursting attacks packetsonto the wire. Sentriant NG300 also limitsthe packet size by setting a smallMaximum Segment Size (MSS) to size 10.This keeps the amount of bandwidth useddown to a minimum.Slow Scan then puts the attacking threadon hold for the maximum allowed timeaccording to the TCP protocol, of fourminutes. When the attacking thread sendsa “Window Probe” to the target, or virtualdecoy in this case, responds and re-engagesthe Snaring/Slow Scan handshake.Snaring/Slow Scan has the net effect of“holding” an attacker’s attack threads,preventing that thread from being reusedby the OS. Since computers have a finitenumber of attack threats, Snaring/SlowScan will eventually consume all of them,stopping the attack dead in its track.SYNSYN/ACK (Window = 0, MSS = 10)ACK (Attack Packet)~ 4 MintuesWindow ProbeACK (Window = 0, MSS = 10)ACK (Attack Packet)~ 4 Mintues5208-01Figure 2: Slowing Down a Threat Using Snaring and Slow Scan© 2008 Extreme Networks, Inc. All rights reserved. Sentriant NG300—Page 3

Extreme Networks Data SheetHigh Availability Multi-Gigabit CoverageSentriant NG300 can be integrated with CLEAR-Flow Security Rules Engine available in ExtremeXOS ® switches to allowmult-gigabit rates of inspection and mitigation. Sentriant NG300 is not an inline device, therefore cannot be a bandwidthbottleneck or point of failure.Protecting More of YourNetworkSentriant NG300 can be connected toany vendors’ switches from via mirror orspan ports in its standalone deploymentmode. In this mode, Sentriant NG300 canmonitor up to 1 gigabit per second ofbroadcast traffic across up to 64 VLANs.Sentriant NG300 is designed to operateseamlessly with perimeter and endpointsecurity products in the standalonedeployment mode.Sentriant NG300 can be deployed in asecond mode called the integrated modewhen it is deployed with ExtremeXOSswitches from Extreme Networks thatsupport the CLEAR-Flow Security RulesEngine. In this mode a single SentriantNG300 can protect multi-gigabit networks.Sentriant NG300 provides a unique anddifferentiated set of features in bothstandalone and integrated deploymentmodes. The major difference is theamount of traffic that it can monitor forthreats.CLEAR-Flow IntegrationWhen integrated with ExtremeXOSswitches that support CLEAR-FlowSecurity Rules Engine as shown in Figure 3,Sentriant NG300 offers the following benefits:• Greater performance: SinceCLEAR-Flow detects and filters outDoS attacks, Sentriant NG300 canfocus its resources on just suspicioustraffic alone, and cover of the networkthan in standalone mode• Broader range: Sentriant NG300 cananalyze mirrored traffic. Access tomirrored traffic from all the threatsourcesenables a quicker responsetime to potential attacks, as opposedto a narrower range of traffic presentedvia span-ports• Dynamic Mitigation Control:Sentriant NG300 can add/modifyCLEAR-Flow rules and ACLs toinspect additional traffic or changeinspection thresholds––therebyallowing an automated system tofine-grain inspection rules in real-timeNo Impact on NetworkAvailabilitySentriant NG300 is commonly deployed ona mirror port on a switch, much like anetwork sniffer. However, unlike sniffers,Sentriant NG300 can actively engage,deter and terminate malicious behaviorusing Snaring/Slow Scan and Cloakingtechnologies. This deployment model givessystems administrators strong securitycontrol over the internal network withoutthe latency or single point of failure risksassociated with inline devices.Snaring/Slow Scan and Cloaking representsa departure from previous networksecurity systems by combining the bestcharacteristics of an inline protectionsystem with the performance and reliabilitybenefits of a passive device.Automated Attack Mitigation in Integrated Deployment Mode1.An infected source enters the network.2. ExtremeXOS static ACLs and CLEAR-Flow rules filter out DoSattacks, determine traffic class as ‘suspicious’.3.Selectively port-mirror traffic to Sentriant NG300 for further analysis.4. Sentriant NG300 continues to watch suspicious traffic and uses itsinternal rules to escalate traffic-class from suspicious to high levelalert.5. Sentriant NG300 initiates a dynamic ACL on the ExtremeXOSswitch*. The switch applies the dynamic ACL in real-time andcontinues to port mirror suspicious traffic.12BlackDiamond8800c354Sentriant5187-01* Summit X450a series, BlackDiamond ® 8800c series, BlackDiamond 10808, and BlackDiamond 12800series switches.Figure 1: Example of Profiles Using Wireless MobilityAccess Domains.© 2008 Extreme Networks, Inc. All rights reserved. Sentriant NG300—Page 4

Extreme Networks Data SheetTechnical SpecificationsPerformanceTraffic Level (Inspection, Mitigation)Protected EndpointsProtected IP SpaceNumber of VLANs1 gigabit/sec aggregate traffic1000 end-points protected (Typical)16K of used and unused IP addresses (Typical)Up to 64 VLANsAppliance InternalsProcessorMemoryHard DriveNetwork InterfacesPower SupplyPower ConnectionStartup AccessTwo Intel ® Xeon Processors (2.8 Ghz/ea)2GB of ECC DRAM80GBFour 10/100/1000BASE-T PortsOne 10/100BASE-T Management PortSingle 400W Power Supply120V/50/60Hz, U.S. Connectivity (U.S. cable only)Serial RJ-45 AccessChassisHeightDepthWidthMountingCertifications2RU (3.5 inches)20.5 inches17.0 inchesBracket-based front mountUL 6950-1--IEC 6950 (U.S./Canada/Europe)FCC Part15/ISES003 Class A Emissions ––(U.S./Canada)CE (European UnionVCCI Class 1 ITE (Japan)Sentriant NG300 Operations Console (SOC)Platform Requirements Operating System: Windows XP/2000/Server 2003Processor: Intel Pentium 4 (or equivalent)Memory: 512 MBHard Drive Space: 1 GB (minimum)Sentriant NG300 WarrantyHardwareLimited 1-year© 2008 Extreme Networks, Inc. All rights reserved. Sentriant NG300—Page 5