1

Foundry Foundry -- Lancope Lancope Security AllianceSecurity Alliance

The Security Benefits of sFlow IntegrationThe Security Benefits of sFlow Integration

AGENDA

Foundry Networks & Lancope Partnership Overview (15mins)

Gary Hemminger, Director Product Marketing, Foundry Networks

StealthWatch Xe for sFlow Overview (30mins)Jason Anderson, Vice President Engineering, Lancope

Questions & Answers (15mins)

2

Foundry Networks & Lancope Foundry Networks & Lancope Security Alliance OverviewSecurity Alliance Overview

Gary HemmingerDirectory, Product Marketing

Foundry Networks

FOUNDRY - LANCOPE SECURITY ALLIANCE

Gather sFlow from Foundry network devices

Baseline network and profile hosts for normal behavior (includes over 100 host and network characteristics).

Apply over 70 flow analysis algorithms to the flows and baseline characteristics

Provide complete enterprise visibility and threat protection at a lower cost

Adaptive mitigation at the closest network device

3

FOUNDRY SFLOW ARCHITECTURE & LANCOPE ZERO-DAY SOLUTION

Integrated Switch Security Features

• Wire-speed ACLs• MAC Port Security• TCP SYN and Smurf Attack Protection• Hardware VLAN Flooding• Control Plane Security• Unicast Reverse Path Forwarding• Private VLANs• Integrated sFlow Monitoring

Foundry Stackable & Chassis Secure Switches

Foundry Integrated Switch Security Benefits:• Insures malicious or accidental L2/L3 attacks are thwarted before infecting network• Provides security with no loss of data performance or voice quality• Prevents industry’s widest range of DoS attacks• Fully integrated with Lancope Stealthwatch XE anomaly detection solution

sFlow Security Policy

StealthWatch Xe

FOUNDRY EMBEDDED SFLOW & LANCOPE INTERFACE

ASIC based sFlow (RFC 3176) support for fast, low overhead monitoring

Reduces cost and complexity of provisioning probes throughout the switched network

Eliminates the need for SPAN and mirror ports

Protocol Independent (IPv4, IPv6, MPLS, IPX, AppleTalk) to insure all traffic is seen

Integrated with Lancope Stealthwatch Xeanomaly detection system forhighly-scalable Zero-Daysolution

4

StealthWatch Xe for sFlow StealthWatch Xe for sFlow OverviewOverview

Jason AndersonVice President, Engineering

Lancope, Inc.

SFLOW FOR “MOUNTAINTOP” OBSERVATION

5

SFLOW STEALTHWATCH INTEGRATION

Almost all Foundry products support sFlow

sFlow includes packet payload (allows for such things as fragmentation analysis and OS fingerprinting)

Duplicate sFlow records are removed

FLOW-BASED ANOMALY DETECTION

Number of concurrent flowsPackets per secBits per secondNew flows createdNumber of SYNs sentTime of dayNumber of SYNs receivedRate of connection resetsDuration of the flowMany others…

Collect and Analyze FlowsEstablish Baseline of Behaviors

Alarm on Anomaly Behaviors

1 2

3

6

INFRASTRUCTURE IPS: HOW IT WORKS

Sales ServersMarketing

RemoteSites

RemoteUsers

Extranet

!

disable port

StealthWatch Xe Flow Collector

STEALTHWATCH IPS: AUTHORIZE MODE

7

STEALTHWATCH IPS: AUTOMATIC MODE

ENTERPRISE STEALTHWATCH DEPLOYMENT

StealthWatch allows for distributed deployment using Ethernet taps, mirror ports, or sFlow collection

8

STEALTHWATCH XE FOR SFLOW SIZING

Xe-2000

Xe-1000

Xe-500

Model

50,000 ports across 1000 devices55,000 sps

25,000 ports across 500 devices25,000 sps

10,000 ports across 200 devices10,000 sps

Number of SourcesData rates

Note: “sps” is Samples Per Second. Given a sample rate of 1 in 128 packets sampled, the Xe-2000 is capable of a scaled packet rate of 7,040,000 pps. At an average packet size of 400 bytes per second, a single Xe-2000 can process network traffic at speeds of over22.5 Gigabits Per Second!

STEALTHWATCH BENEFITS

FLOW ANALYSIS

Traffic Accounting

Traffic Traffic AccountingAccounting

Policy Enforcement

Policy Policy EnforcementEnforcement

Loggingand

Analysis

LoggingLoggingandand

AnalysisAnalysis

PrioritizationPrioritizationPrioritization

ThreatDetection

ThreatThreatDetectionDetection

Detect zero-day attacks, worms, viruses and other malware.Detect zero-day attacks, worms, viruses and other malware.

Discover unauthorized applications and prevent network misuse by internal users.

Discover unauthorized applications and prevent network misuse by internal users.

Investigate and diagnose internal security events.Investigate and diagnose internal security events.

Focus on the the events that matter most.Focus on the the events that matter most.

Monitor network performance and usage.Monitor network performance and usage.

9

NETWORK TRAFFIC ANALYSIS AND VISUALIZATION

Flow Records

Visualization

Traffic Analysis

(StealthWatch Rack Mountable 1U Appliance)

SUMMARY

Complete enterprise visibility through cost effective flow processing

Detects threats and attacks without the need for signature updates

Provides extensive forensics and audit reporting

StealthWatch leverages existing Foundry equipment to mitigate and quarantine attacks

10

Questions & AnswersQuestions & Answers

Gary HemmingerDirectory, Product Marketing

Foundry Networksghemminger@foundrynet.com

Jason AndersonVice President, Engineering

Lancope, Inc.janderson@lancope.com