The Importance of State

Ixia recently added passive SSL decryption to the ATI Processor (ATIP). ATIP is an optional module in several of our Net Tool Optimizer (NTO) packet brokers that delivers application-level insight into your network with details such as application ID, user location, and handset and browser type. ATIP gives you this information via an intuitive real-time dashboard, filtered application forwarding, and rich NetFlow/IPFIX.

Adding SSL decryption to ATIP was a logical enhancement, given the increasing use of SSL for both enterprise applications and malware transfer – both things that you need to see in order to monitor and understand what’s going on. For security, especially, it made a lot of sense for us to decrypt traffic so that a security tool can focus on what it does best (such as malware detection).

When we were starting our work on this feature, we looked around at existing solutions in the market to understand how we could deliver something better. After working with both customers and our security partners, we realized we could offer added value by making our decrypted output easier to use.

Many of our security partners can either deploy their systems inline (traffic must pass through the security device, which can selectively drop packets) or out-of-band (the security device monitors a copy of the traffic and sends alerts on suspicious traffic). Their flexible ability to deploy in either topology means they’re built to handle fully stateful TCP connections, with full TCP handshake, sequence numbers, and checksums. In fact, many will flag an error if they see something that looks wrong. It turns out that many passive SSL solutions out there produce output that isn’t fully stateful and can flag errors or require disabling of certain checks.

What exactly does this mean? Well, a secure web connection starts with a 3-way TCP handshake (see this Wikipedia article for more details), typically on port 443, and both sides choose a random starting sequence (SEQ) number. This is followed by an additional TLS handshake that kicks off encryption for the application, exchanging encryption parameters. After the encryption is nailed up, the actual application starts and the client and server exchange application data.

When decrypting and forwarding the connection, some of the information from the original encrypted connection either doesn’t make sense or must be modified. Some information, of course, must be retained. For example, if the security device is expecting a full TCP connection, then it expects a full TCP handshake at the beginning of the connection – otherwise packets are just appearing out of nowhere, which is typically seen as a bad thing by security devices.

Next, in the original encrypted connection, there’s a TLS handshake that won’t make any sense at all if you’re reading a cleartext connection (note that ATIP does forward metadata about the original encryption, such as key length and cipher, in its NetFlow/IPFIX reporting). So when you forward the cleartext stream, the TLS handshake should be omitted. However, if you simply drop the TLS handshake packets from the stream, then the SEQ numbers (which keep count of transmitted packets from each side) must be adjusted to compensate for their omission. And every TCP packet includes a checksum that must also be recalculated around the new decrypted packet contents.

If you open up the decrypted output from ATIP, you can see all of this adjustment has taken place. Here’s a PCAP of an encrypted Netflix connection that has been decrypted by ATIP:

The Importance of State

You’ll see there are no out-of-sequence packets, and no indication of any dropped packets (from the TLS handshake) or invalid checksums. Also note that even though the encrypted connection was on port 443, this flow analysis shows a connection on port 80. Why? Because many analysis tools will expect encrypted traffic on port 443 and cleartext traffic on port 80. To make interoperability with these tools easier, ATIP lets you remap the cleartext output to the port of your choice (and a different output port for every encrypted input port). You might also note that Wireshark shows SEQ=0. That’s not the actual sequence number; Wireshark just displays a 0 for the first packet of any connection so you can use the displayed SEQ number to count packets.

The following ladder diagram might also help to make this clear:

The Importance of State

To make Ixia’s SSL decryption even more useful, we’ve also added a few other new features. In the 1.2.1 release, we added support for Diffie Helman keys (previously, we only supported RSA keys), as well as Elliptic Curve ciphers. We’ve also added reporting of key encryption metadata in our NetFlow/IPFIX reporting:

The Importance of State

As you can see, we’ve been busy working on our SSL solution, making sure we make it as useful, fast, and easy-to-use as possible. And there’s more great stuff on the way. So if you want to see new features, or want more information about our current products or features, just let us know and we’ll get on it.

More Information

ATI Processor Web Portal

Wikipedia Article: Transmission Control Protocol (TCP)

Wikipedia Article: Transport Layer Security (TLS)

Thanks to Ixia for the article.

Ixia Exposes Hidden Threats in Encrypted Mission-Critical Enterprise Applications

Delivers industry’s first visibility solution that includes stateful SSL decryption to improve application performance and security forensics

Ixia (Nasdaq: XXIA), a leading provider of application performance and security resilience solutions, announced it has extended its Application and Threat Intelligence (ATI) Processor™ to include stateful, bi-directional SSL decryption capability for application monitoring and security analytics tools. Stateful SSL decryption provides complete session information to better understand the transaction as opposed to stateless decryption that only provides the data packets. As the sole visibility company providing stateful SSL decryption for these tools, Ixia’s Visibility Architecture™ solution is more critical than ever for enterprise organizations looking to improve their application performance and security forensics.

“Together, FireEye and Ixia offer a powerful solution that provides stateful SSL inspection capabilities to help protect and secure our customer’s networks,” said Ed Barry, Vice President of Cyber Security Coalition for FireEye.

As malware and other indicators of compromise are increasingly hidden by SSL, decryption of SSL traffic for monitoring and security purposes is now more important for enterprises. According to Gartner research, for most organizations, SSL traffic is already a significant portion of all outbound Web traffic and is increasing. It represents on average 15 percent to 25 percent of total Web traffic, with strong variations based on the vertical market.1 Additionally, compliance regulations such as the PCI-DSS and HIPAA increasingly require businesses to encrypt all sensitive data in transit. Finally, business applications like Microsoft Exchange, and Dropbox run over SSL, making application monitoring and security analytics much more difficult for IT organizations.

Enabling visibility without borders – a view into SSL

In June, Ixia enabled seamless visibility across physical, virtual and hybrid cloud data centers. Ixia’s suite of virtual visibility products allows insight into east-west traffic running across the modern data center. The newest update, which includes stateful SSL decryption, extends security teams’ ability to look into encrypted applications revealing anomalies and intrusions.

Visibility for better performance – improve what you can measure

While it may enhance security of transferred data, encryption also limits network teams’ ability to inspect, tune and optimize the performance of applications. Ixia eliminates this blind spot by providing enterprises with full visibility into mission critical applications.

The ATI Processor works with Ixia’s Net Tool Optimizer® (NTO™) solution and brings a new level of intelligence to network packet brokers. It is supported by the Ixia Application & Threat Intelligence research team, which provides fast and accurate updates to application and threat signatures and application identification code. Additionally, the new capabilities will be available to all customers with an ATI Processor and an active subscription.

To learn more about Ixia’s latest innovations read:

ATI processor

Encryption – The Next Big Security Threat

Thanks to Ixia for the article.

CVE-2015-5119 and the Value of Security Research and Ethical Disclosure

The Hacking Team’s Adobe Flash zero day exploit CVE-2015-5119, as well as other exploits, were recently disclosed.

Hacking Team sells various exploit and surveillance software to government and law enforcement agencies around the world. In order to keep their exploits working as long as possible, Hacking Team does not disclose their exploits. As such, the vulnerabilities remain open until they are discovered by some other researcher or hacker and disclosed.

This particular exploit is a fairly standard, easily weaponizable use-after-free—a type of exploit which accesses a pointer that points to already free and likely changed memory, allowing for the diversion of program flow, and potentially the execution of arbitrary code. At the time of this writing, the weaponized exploits are known to be public.

What makes this particular set of exploits interesting is less how they work and what they are capable of (not that the damage they are able to do should be downplayed: CVE-2015-5119 is capable of gaining administrative shell on the target machine), but rather the nature of their disclosure.

This highlights the importance of both security research and ethical disclosure. In a typical ethical disclosure, the researcher contacts the developer of the vulnerable product, discloses the vulnerability, and may even work with the developer to fix it. Once the product is fixed and the patch enters distribution, the details may be disclosed publically, which can be useful learning tools for other researchers and developers, as well as for signature development and other security monitoring processes. Ethical disclosure serves to make products and security devices better.

Likewise, security research itself is important. Without security research, ethical disclosure isn’t an option. While there is no guarantee that the researchers will find the exact vulnerabilities held secret by the likes of Hacking Team, the probability goes up as the number and quality of researches increases. Various incentives exist, from credit given by the companies and on vulnerability databases, to bug bounties, some of which are quite substantial (for instance, Facebook has awarded bounties as high as $33,500 at the time of this writing).

However some researchers, especially independent researchers, may be somewhat hesitant to disclose vulnerabilities, as there have been past cases where rather than being encouraged for their efforts, they instead faced legal repercussions. This unfortunately discourages security research, allowing for malicious use of exploits to go unchecked in these areas.

Even in events such as the sudden disclosure of Hacking Team’s exploits, security research was again essential. Almost immediately, the vendors affected began patching their software, and various security researchers developed penetration test tools, IDS signatures, and various other pieces of security related software as a response to the newly disclosed vulnerabilities.

Security research and ethical disclosure practices are tremendously beneficial for a more secure Internet. Continued use and encouragement of the practice can help keep our networks safe. Ixia’s ATI subscription program, which is releasing updates that mitigate the damage the Hacking Team’s now-public exploits can do, helps keep network security resilience at its highest level.

Additional Resources:

ATI subscription

Malwarebytes UnPacked: Hacking Team Leak Exposes New Flash Player Zero Day

Thanks to Ixia for the article.

Application Intelligence For Your Monitoring Tools

Ixia Application Threat IntelligenceApplication intelligence (the ability to monitor packets based on application type and usage) is the next evolution in network visibility. It can be used to dynamically identify all applications running on a network. Distinct signatures for known and unknown applications can be identified, captured, and passed on to specialized monitoring tools in order to provide network managers a complete view of their network.

In addition, well-designed visibility solutions will gather additional (contextual) information on applications and users. Examples of this contextual information include: geo-location of application usage, network user types, operating systems, and browser types that are in use on the network.

With the number of applications used over service provider and enterprise networks rapidly increasing, application intelligence provides unprecedented visibility that enables IT organizations to identify unknown network applications. This level of insight helps mitigate network security threats from suspicious applications and locations. It also allows IT engineers to spot trends in application usage which can be used to predict, and then prevent, congestion.

The Application Intelligence portion of a network packet broker (NPB) is used in conjunction with other components (as part of a visibility architecture) to achieve this heightened level of visibility. For instance, a typical visibility solution has network access points (typically taps), the NPB that providing layer 2 through 4 filtering (in addition to the application filtering information), and dedicated purpose-built monitoring tools (like IPS, IDS, SIEMs, network analyzers, etc.). So, the application intelligence portion doesn’t function as an island but rather an integrated component of the overall visibility solution.

Ixia’s new Application and Threat Intelligence (ATI) Processor, built for the recently announced NTO 7300, brings intelligent functionality to the network packet broker landscape with its patent-pending technology that dynamically identifies all applications running on a network. This product gives IT organizations the insights needed to ensure the network works – every time and everywhere. This is the first visibility product of its kind that extends past layer 4 to layer 7, and provides rich data regarding the behavior and locations of users and applications in the network.

As new network security threats emerge, the ATI Processor helps IT improve their overall security with better intelligence for their existing security tools. The ATI Processor correlates applications with geography and can identify compromised devices and malicious activities such as Command and Control (CNC) communications from malicious botnet activities. IT organizations can now dynamically identify unknown applications, identify security threats from suspicious applications and locations, and even audit for security policy infractions – including the use of prohibited applications on the network or devices.

To learn more, please visit the ATI Processor product page, see our press release, or contact us to see a demo!

Additional Resources:

ATI Processor product page

Ixia NTO 7300

Ixia Visibility solutions

Press release

Thanks to Ixia for the article.

Application Intelligence: THE Driving Force In Network Visibility

Ixia's Application Intelligence Network VisibilityBusiness networks continue to respond to user and business demands, such as, access to more data, bring your own device (BYOD), virtualisation and the continued growth of the Internet of Things.

Historically much of the traffic that runs through these networks has been known to network administrators but access to application and user data remains lacking.

Application intelligence – the ability to monitor application flows based on application type – provides the insight that is desperately required to get more visibility into what is happening on networks.

Application intelligence can dynamically identify all applications running on a network. In addition, well-designed application intelligence solutions generate a wealth of information, such as geo-location data, network user types, device types, operating systems and browser types.

The key to success is integrating application intelligence in to enterprises purpose-built monitoring tools without overwhelming existing processes. Offloading the packet processing required to generate this application intelligence to dedicated hardware visibility solutions enables the monitoring tools to work better, and deliver better insight into network anomalies, problems and concerns.

Network visibility: the paradigm shift

The ubiquitousness of mobile computing in everyday life now means that the use of networks, network access and applications over networks has exponentially risen. The huge challenge facing network managers and operators is how to effectively monitor the performance, incidents and problems that come with an increase in applications and services traveling across networks.

In addition, today’s network security threats are big business – motivated by financial gain and much more sophisticated, prevalent and insidious than in the past. There are now whole communities dedicated to the sole purpose of cracking network security, many of which have gained international notoriety.

IT security professionals are struggling to keep up with the ever-escalating war between those trying to break in, and those trying to keep them out. As a result, organisations need to increase the effectiveness of network monitoring and network security by using the following application intelligence controls.

Profile the network

A network profile is an inventory of all the assets and services using the network. As the profile changes over time, network operators and defenders can monitor for emerging concerns. Most modern data-centre applications require great communication performance.

However, often these applications experience low throughput and high delay between the data centre, users and back-end servers that perform other operations. Application intelligence can help to profile a network by identifying all applications, performance issues across the network and how application traffic affects overall network performance.

Ixia's Application Intelligence Network VisibilityNetwork spikes

One of the most common things that can kill network performance is a huge spike in traffic that overwhelms resources. These types of events can slow down or even disable an otherwise functioning network.

With application intelligence, monitoring tools can observe sudden spikes in a specific type of application traffic – and then take action to either mitigate the effect or alert the proper people that can address the issue. With this knowledge, monitoring systems and IT, enterprises can prevent localised or global outages, especially in mobile service provider environments.

Ixia's Application Intelligence Network VisibilityBYOD effects and issues

One of the biggest issues facing network operators in the age of mobile devices is the BYOD phenomenon. Unregulated devices suddenly linked to your network and using it in ways that are unauthorised, or just unexpected, can wreak havoc on network performance.

Application intelligence allows you to use operating system information troubleshoot and predict BYOD effects. By collecting user information about the browser types used for each application, business can understand the impact of devices and trends in user behaviour. Organisations can capture rich user and behavioural data about the applications that are running, and determine how, when, and where users are employing them.

Capacity planning

Planning for your network capacity can be the difference between a smoothly functioning network and a disastrous mess of a network. Application intelligence can solve this problem by providing the exact data you need – who is using the network, what applications are being run, and from what location they are being accessed.

Good application intelligence also provides geo-location of application traffic to see application bandwidth and data distribution across the network. With the right tool, geo-location information allows identification beyond country, county and town, right down to neighborhood locations.

Ixia's Application Intelligence Network VisibilityFilter for specific information

The biggest variable in a network are the users employing it. They are the ones that create the demand for resources, the traffic flows and the security threats that plague network operators on a daily basis.

Application intelligence allows network operators to audit for security policy infractions and verify network user activity in following set policies. Application intelligence also allows for protection against known bad websites.

Avoid the application tsunami

Getting an accurate picture of what is happening in the network in real-time, and understanding exactly what is causing it, allows a network operator to turn a potential network disaster into a mere nuisance.

Application intelligence allows a savvy network operator to prepare for network “tsunamis” from specific applications or events – setting up alerts or actions ahead of time.

The real role of application intelligence

More and more people are using networks for more and more functions – networking is a deeply interwoven part of our everyday life. However, with this use, comes increased demands and needs. Application intelligence helps you always get the right alert at the right time, with no alert storms that leave you guessing about the real problem.

Today, network operators must monitor all aspects of their networks to maintain functionality. That includes monitoring applications along with the critical parts of application delivery, for example, servers and services that are used across the network.

Recognising and reacting to easily identifiable, trouble-making applications can mean the difference between functioning and failing. Operators must proactively head off application issues with careful capacity planning.

Roark Pollock is vice president of visibility solutions at Ixia

Thanks to ITProPortal for the article.

Application Visibility—Going Beyond Network Visibility

Managing networks is no longer about bits, bytes, and packets, but about application behavior and user experience. Managing applications and user experience drives the need for deeper visibility into your network, which comes from making higher-value data available to your network monitoring tools.

Most network packet brokers offer functions that include granular filtering, load balancing, and deduplication, and some even have a packet capture/decode function. But Ixia’s solution goes beyond these data visibility functions to also offer advanced application intelligence.

Scott Register, Ixia Sr. Director, Product Management presented Ixia’s newest product offering that represents a fundamental shift in network packet broker functionality. Ixia’s new Application and Threat Intelligence Processor (ATIP) works with the company’s Net Tool Optimizer (NTO) to provide the real-time application traffic and metadata that is vital to garnering a complete picture of your network via external monitoring tools.

Users can see real-time application-level traffic and metadata through a web API, NetFlow/IxFlow, or an internal dashboard. Adding valuable application information to super-charge your monitoring tools, the ATIP delivers information such as: where users are located, what apps they are using, what handset they are using, and who is having an application failure–even for custom apps.

With the ATIP, your monitoring tools will have access to not just packets, but actionable application insight.

Check out Scott’s show-floor interview.

Application Visibility—Going Beyond Network Visibility


Thanks to Ixia for the article.

Ixia Advances Network Visibility with Real-Time Network and Application Intelligence

New Application and Threat Intelligence Processor delivers smart contextual metadata to monitoring tools enabling customers to make better decisions


Ixia introduced its Application and Threat Intelligence (ATI) Processor, which enhances the network, application and security insights IT organizations get from their existing monitoring tools.

This is the first product of its kind and provides Ixia’s Visibility Architecture with the ability to provide real-time information about users and applications in any format needed – raw packets, filtered packets or metadata. With the number of valid and malicious applications rapidly increasing, this unprecedented visibility intelligence helps IT organizations within large enterprises and service providers to identify, locate and track network applications – including proprietary, mobile and malicious traffic.

News highlights

Ixia’s new ATI Processor for the NTO 7300 brings a new level of intelligence to the network packet broker. Distinct Application Fingerprints and a patent pending dynamic identification capability for unknown applications give network managers a complete view of their networks, including application success and failure tracking. By combining rich contextual information such as geo-location of application usage, handset or device type, operating system and browser type, the ATI Processor helps to identify suspicious activity such as unauthorized BYOD usage or business connections from untrusted locations.

Ixia customers can now leverage their monitoring tools in conjunction with the enhanced information provided by the ATI Processor to spot trends in application usage, user behavior and quality of service with more speed and accuracy. This unique insight can also resolve security concerns such as rapidly spotting Command and Control (CnC) traffic from infected systems and policy infractions from BYOD usage. Previously, IT administrators would have to piece together many independent streams of information in a tedious and error-prone process.

The ATI Processor is backed by the same industry-leading ATI program that fuels Ixia’s test equipment, which includes more than 245 applications and 35,000 malicious attacks and combines frequent Application Fingerprint updates with support of user-defined applications. The specialized hardware employed in the ATI Processor optimizes visibility performance by offloading DPI and metadata extraction, improving tool performance and delivering richer insight into network usage, problems and trends. This functionality delivers greater overall value to our customers.

ATI Processor features include:

  • Dynamic application intelligence capabilities to identify known, proprietary, and even unknown network applications.
  • Enhanced insight including geo-location, handset type, operating system, browser and other key user data.
  • Empirical data generation to identify bandwidth usage, trends and growth needs delivered via API or Ixia’s IxFlow extensions to NetFlow.

For more information watch the video describing the new ATI Processor.

Industry commentary

“The importance of understanding application performance, service quality and security integrity from the network perspective has been steadily rising in both enterprise and service provider settings,” said Jim Frey, EMA’s Vice President of Research, Network Management. “Such visibility is essential for timely assurance and protection of complex applications despite growing traffic volumes and increasing diversity in how end users and subscribers access applications and services. Options for DPI processing and identification at the packet access layer, such as Ixia’s new ATI Processor offering, means valuable flexibility for establishing and sustaining effective visibility.”

“Ixia’s ATI Processor takes the functionality and benefits of a network packet broker to a new level by providing WildPacket’s Network Analysis and Recorder appliances with not just packets, but rich data on applications, geography and users.” said Tim McCreery, president of WildPackets. “By offloading these vital CPU intensive tasks, WildPackets can provide even more real-time visibility into the entire network while recording high-speed traffic for advanced forensics. The joint solution allows customers faster troubleshooting, reduced time to resolution, and shorter network downtime.”

Thanks to Ixia for the article.