ThreatARMOR Reduces Your Network’s Attack Surface

ThreatARMOR Reduces Your Network’s Attack Surface

2014 saw the creation of more than 317 million new pieces of malware. That means an average of nearly one million new threats were released each day.

Here at Ixia we’ve been collecting and organizing threat intelligence data for years to help test the industry’s top network security products. Our Application and Threat Intelligence (ATI) research center maintains one of the most comprehensive lists of malware, botnets, and network incursions for exactly this purpose. We’ve had many requests to leverage that data in support of enterprise security, and this week you are seeing the first product that uses ATI to boost the performance of existing security systems. Ixia’s ThreatARMOR continuously taps into the ATI research center’s list of bad IP sources around the world and blocks them.

Ixia’s ThreatARMOR represents another innovation and an extension for the company’s Visibility Architecture, reducing the ever-increasing size of their global network attack surface.

A network attack surface is the sum of every access avenue an individual can use to gain access to an enterprise network. The expanding enterprise security perimeter must address new classes of attack, advancing breeds of hackers, and an evolving regulatory landscape.

“What’s killing security is not technology, it’s operations,” stated Jon Oltsik, ESG senior principal analyst and the founder of the firm’s cybersecurity service. “Companies are looking for ways to reduce their overall operations requirements and need easy to use, high performance solutions, like ThreatARMOR, to help them do that.”

Spending on IT security is poised to grow tenfold in ten years. Enterprise security tools inspect all traffic, including traffic that shouldn’t be on the network in the first place: traffic from known malicious IPs, hijacked IPs, and unassigned or unused IP space/addresses. These devices, while needed, create a more work than a security team could possible handle. False security attack positives consume an inordinate amount of time and resources: enterprises spend approximately 21,000 hours per year on average dealing with false positive cyber security alerts per a Ponemon Institute report published January 2015. You need to reduce the attack surface in order to only focus on the traffic that needs to be inspected.

“ThreatARMOR delivers a new level of visibility and security by blocking unwanted traffic before many of these unnecessary security events are ever generated. And its protection is always up to date thanks to our Application and Threat Intelligence (ATI) program.” said Dennis Cox, Chief Product Officer at Ixia.

“The ATI program develops the threat intelligence for ThreatARMOR and a detailed ‘Rap Sheet’ that provides proof of malicious activity for all blocked IP addresses, supported with on-screen evidence of the activity such as malware distribution or phishing, including date of the most recent confirmation and screen shots.”

ThreatARMOR: your new front line of defense!

Additional Resources:


Thanks to Ixia for the article.

The Importance of State

Ixia recently added passive SSL decryption to the ATI Processor (ATIP). ATIP is an optional module in several of our Net Tool Optimizer (NTO) packet brokers that delivers application-level insight into your network with details such as application ID, user location, and handset and browser type. ATIP gives you this information via an intuitive real-time dashboard, filtered application forwarding, and rich NetFlow/IPFIX.

Adding SSL decryption to ATIP was a logical enhancement, given the increasing use of SSL for both enterprise applications and malware transfer – both things that you need to see in order to monitor and understand what’s going on. For security, especially, it made a lot of sense for us to decrypt traffic so that a security tool can focus on what it does best (such as malware detection).

When we were starting our work on this feature, we looked around at existing solutions in the market to understand how we could deliver something better. After working with both customers and our security partners, we realized we could offer added value by making our decrypted output easier to use.

Many of our security partners can either deploy their systems inline (traffic must pass through the security device, which can selectively drop packets) or out-of-band (the security device monitors a copy of the traffic and sends alerts on suspicious traffic). Their flexible ability to deploy in either topology means they’re built to handle fully stateful TCP connections, with full TCP handshake, sequence numbers, and checksums. In fact, many will flag an error if they see something that looks wrong. It turns out that many passive SSL solutions out there produce output that isn’t fully stateful and can flag errors or require disabling of certain checks.

What exactly does this mean? Well, a secure web connection starts with a 3-way TCP handshake (see this Wikipedia article for more details), typically on port 443, and both sides choose a random starting sequence (SEQ) number. This is followed by an additional TLS handshake that kicks off encryption for the application, exchanging encryption parameters. After the encryption is nailed up, the actual application starts and the client and server exchange application data.

When decrypting and forwarding the connection, some of the information from the original encrypted connection either doesn’t make sense or must be modified. Some information, of course, must be retained. For example, if the security device is expecting a full TCP connection, then it expects a full TCP handshake at the beginning of the connection – otherwise packets are just appearing out of nowhere, which is typically seen as a bad thing by security devices.

Next, in the original encrypted connection, there’s a TLS handshake that won’t make any sense at all if you’re reading a cleartext connection (note that ATIP does forward metadata about the original encryption, such as key length and cipher, in its NetFlow/IPFIX reporting). So when you forward the cleartext stream, the TLS handshake should be omitted. However, if you simply drop the TLS handshake packets from the stream, then the SEQ numbers (which keep count of transmitted packets from each side) must be adjusted to compensate for their omission. And every TCP packet includes a checksum that must also be recalculated around the new decrypted packet contents.

If you open up the decrypted output from ATIP, you can see all of this adjustment has taken place. Here’s a PCAP of an encrypted Netflix connection that has been decrypted by ATIP:

The Importance of State

You’ll see there are no out-of-sequence packets, and no indication of any dropped packets (from the TLS handshake) or invalid checksums. Also note that even though the encrypted connection was on port 443, this flow analysis shows a connection on port 80. Why? Because many analysis tools will expect encrypted traffic on port 443 and cleartext traffic on port 80. To make interoperability with these tools easier, ATIP lets you remap the cleartext output to the port of your choice (and a different output port for every encrypted input port). You might also note that Wireshark shows SEQ=0. That’s not the actual sequence number; Wireshark just displays a 0 for the first packet of any connection so you can use the displayed SEQ number to count packets.

The following ladder diagram might also help to make this clear:

The Importance of State

To make Ixia’s SSL decryption even more useful, we’ve also added a few other new features. In the 1.2.1 release, we added support for Diffie Helman keys (previously, we only supported RSA keys), as well as Elliptic Curve ciphers. We’ve also added reporting of key encryption metadata in our NetFlow/IPFIX reporting:

The Importance of State

As you can see, we’ve been busy working on our SSL solution, making sure we make it as useful, fast, and easy-to-use as possible. And there’s more great stuff on the way. So if you want to see new features, or want more information about our current products or features, just let us know and we’ll get on it.

More Information

ATI Processor Web Portal

Wikipedia Article: Transmission Control Protocol (TCP)

Wikipedia Article: Transport Layer Security (TLS)

Thanks to Ixia for the article.

Taking a Quantum Leap in Network Visibility

In our area of technology, we often think of our products in terms of how they compare to the rest of the products in the same market segment. Maybe we can highlight one facet of a unique feature and point out how nobody else offers it – or at least not in that way. It is tempting to compare features line-by-line when you have competitors who offer products that are generally similar. But now I have the opportunity to talk about a market where nobody else has gone. Ixia can show something that is truly game-changing for our customers.

Application intelligence (the ability to monitor packets based on application type and usage) is now available to provide the application and user insight that is desperately required. This technology is the next evolution in network visibility.

Application intelligence can be used to dynamically identify all applications running on a network. Distinct signatures for known and unknown applications can be identified and captured to give network managers a complete view of their network. In addition, well designed visibility solutions will generate additional (contextual) information such as geolocation of application usage, network user types, operating systems and browser types that are in use on the network.

So let’s just get this out of the way. Nobody else has anything like Ixia’s Application and Threat Intelligence (ATI) Processor. I can’t talk about how others stack up, because they just don’t have anything like this at all.

So rather than do a typical competitive analysis line-by-line, I am going to walk through the solution high points that raised eyebrows and engaged customers at the recent Cisco Live and Black Hat tradeshows.

What Is It?

Ixia’s ATI Processor is best described like this:

  • It’s a fully-featured 48x10G NTO blade that populates the 7300 chassis. It enables all standard visibility features that are so popular on the NTO: best-in-class GUI with drag-and-drop configuration, advanced filter compiler, 48x10G/1RU port density, all the stuff we already know and love. It is not some strange new thing you don’t understand and don’t know how to put into your network. It’s at the core a completely functional blade for the 7300. Think of it like 3/4 of a 5288 on a blade.
  • Did I mention, this is a normal NTO blade? Yes, you are going to use this in your visibility network you are already deploying. And of course it will talk to all the other ports and resources in the 7300 chassis.
  • It has, hidden inside, a whole different kind of product. This is the ATI Processor Resource. The ATI Processor Resource dramatically extends what can be done to monitor the network traffic that is already being passed through the blade.
    • Using the technology we learned from our BreakingPoint acquisition, the ATI Processor can recognize applications based on signatures, which involve much more than just domain names, or TCP port numbers, or the other things we have traditionally used to have to use to try and classify application traffic. The system comes pre-loaded with hundreds of signatures for known applications; and it can learn new ones on the fly as traffic happens in real time.
    • All kinds of details about these applications are revealed in the ATI Processor Dashboard, which runs in a browser window (not in the NTO Java-GUI).
      • IP addresses (source/destination)
      • Geography (city, country, latitude and longitude, both source and destination)
      • Application Identifier
      • You can create filters to watch these things
      • Orthogonal views are available; “why is someone in <insert country where we don’t have an office> accessing our SVN repository? WHO is it?”
      • Many other things. All the stuff you can’t do with ordinary network statistics, we can do with ATI Processor.
    • NetFlow can be generated based on all of these new data detected by the ATI Processor. Not just any NetFlow, but also IxFlow, which extends NetFlow with dozens of new fields including all of the interesting stuff like geography and application ID.
    • This IxFlow is integrated into more and more of the NetFlow tools you are already using, like Splunk and Plixer.
    • Multiple NetFlow exporters are supported
    • NetFlow can be assigned to any 1 port on the ATI Processor card
    • All ports on the card share this ATI Processor resource. Traffic sent to the ATI Processor resource goes through a dynamic filter that is attached to the ATI Processor and configured in the NTO GUI. You can filter what traffic you want to be analyzed in this filter. Traffic goes into this filter and the output is preset to go to the ATI Processor. The ATI Processor is, therefore, sort of “out of band” to the flow of traffic from network to tool ports in the NTO. You just attach the port you want to monitor to the ATI Processor filter, and voila, it gets the ATI Processor treatment. It doesn’t affect the other uses of that port for traditional visibility.


“Hey, I thought you said nobody else has this AT ALL. Lots of products do NetFlow!”

OK, good point. But they don’t have IxFlow, which is where all the cool stuff is. And they don’t have our dashboard. AND they don’t do this in the context of the visibility network you have already deployed. They certainly don’t do this in the class-leading visibility tool such as the NTO.

“Yeah, well half the switch vendors and IDS and firewalls also do NetFlow, and I already have those things in my network . . .”

Remember, I said not to get hung up on NetFlow. We are talking about IxFlow! And switches and firewalls don’t:

  • Perform the kind of filtering we do, especially hitless with our killer GUI and all the other reasons you can’t use a switch in place of an NTO
  • Handle the rate of traffic flow the ATI Processor can handle and generate IxFlow
  • Integrate with your existing visibility architecture
  • Have access to traffic at all the points where you currently have Taps
  • Integrate traffic flows with other advanced features… like do NetFlow plus deduplication plus 1µs accurate timestamping plus load balancing...
  • Seriously, are you going to put a switch inline with every NTO port just to get it to generate NetFlow on the traffic you are monitoring? That doesn’t make much sense. It’s simpler, less expensive, and much more effective to just deploy the ATI Processor.

“Speaking of the dashboard, doesn’t this make us a competitor with tools like Splunk and Plixer?”

No. While the ATI Processor dashboard is very useful for configuration and some general debugging and visibility, it is not a dedicated and refined reporting tool on the level of our tool partners like Splunk and Plixer. However, our IxFlow greatly enhances what you can get out of a tool like Splunk or Plixer. I like to think of it like this: the ATI Processor supercharges your NetFlow reporting tools that you already have!

OK, You Have My Attention. How Do I Know it Will Work For Me?

The biggest challenge I have experienced regarding the ATI Processor is not in the value it brings or the utility of the solution. Mostly it’s just that customers are not used to looking for something like this from Ixia. Here’s what I learned from customers at Black Hat and Cisco Live.

  1. If you are thinking of Ixia’s NTO products, you are already interested in network visibility. You care about monitoring the traffic on your network. You understand the value of keeping an eye on what your users are doing, being able to debug issues on the fly, and you have invested in tools and resources to make this work. The ATI Processor blade in a 7300 is a natural part of this visibility plan.
  2. In the classic sense, the NTO has always monitored network traffic in terms of bytes and addresses and VLANs and that kind of thing. But when a user on your network has an outage, they experience it in terms of the application. You don’t get a call into the help desk saying, “all VLAN 19 traffic with destination is being dropped at my desk”. You get a call saying, “I can’t complete a VOIP call” or “why can’t I connect to our SVN server”. Users see the network in terms of applications and you should have a way of monitoring it in those same terms. The ATI Processor delivers just that.
  3. There are some ways where visibility of application-based traffic indicators such as those shown on the ATI Processor can be critical to your business. For example, let’s say you have an internal network with data on it that is shared across many geographies, but is important to be kept secure. That data may be summarized as an application, like, Perforce or Exchange. You probably would like to know it when someone from a geography where you don’t have an office is accessing those applications on your intranet, right? Or what if you see a discovered dynamic app called “” show up on your network. That’s spoofing! You didn’t even know to look for it, which is why spoofing works for the bad guys. Wouldn’t you like to be able to rapidly see who all of the users are on the network who have used this application so you can notify them of the breach?
  4. Also, maybe there is application traffic behaviors that indicate changes in your customers’ patterns that you would like to know. For example, if you are a cable provider who also offers internet service, you would probably like to track the trend of the use of your own VoD service vs. competitors like Vudu and NetFlix, right? You’d like to know when a new competitor pops up, right? This gives you visibility not only into packets and network behaviors, but also into the potential future of your business.
  5. Remember, the ATI Processor dynamically learns about new applications when they come up on your network. Nothing is going to catch you off guard.

Now, the key to all of this is, you are already deploying a visibility network. That’s the key. Don’t think about the ATI Processor as a whole new thing you have to deploy which also happens, by the way, to have 48 ports of NTO on it. Think of it as a 48-port NTO blade that does everything you need for traditional visibility, plus a ton of other things you really want but didn’t even know we offered.

In hundreds of conversations with Ixia visibility customers and those interested in our visibility products, not once has anyone told me they were not interested in what the ATI Processor does. On the contrary, most of you are already thinking about this problem and may even be actively working on solving it, but you just didn’t know to ask our sales team about it, because maybe you think you are stuck going to other sources for this kind of thing. Now you know that Ixia offers a tool that does this, especially as an accessory to their class-leading NTO. This is game-changing!

Not Just For NTO Users

The reality is that IxFlow supercharges what you can do with a tool like Plixer or Splunk. You may very well already be a user of a NetFlow analysis tool, but you might not yet be an Ixia NTO user. You have bought and invested in the kind of thing the ATI Processor does best, but you are not using it to its full potential. The ATI Processor is essential to get all of the value from your existing NetFlow tool. We are not competing with these NetFlow analysis tools, we are enhancing those tools while also offering superior visibility.

As you consider the need for both traditional network visibility offered by NPBs as well as NetFlow analysis, truly the best way to accomplish this is with an integrated solution that delivers superior network visibility as well as superior NetFlow capability. The ATI Processor is not only an upgrade over other NPBs on the market, but it is also an upgrade to your NetFlow tools.

The ATI Processor is a game-changing quantum leap in the network visibility space, and really allows the NTO to go where no other packet broker has gone before.

Additional Resources:

NTO Application and Threat Intelligence Processor

Ixia NTO solutions

Ixia Network Visibility Architecture

Thanks to Ixia for the article. 

Application Intelligence For Your Monitoring Tools

Ixia Application Threat IntelligenceApplication intelligence (the ability to monitor packets based on application type and usage) is the next evolution in network visibility. It can be used to dynamically identify all applications running on a network. Distinct signatures for known and unknown applications can be identified, captured, and passed on to specialized monitoring tools in order to provide network managers a complete view of their network.

In addition, well-designed visibility solutions will gather additional (contextual) information on applications and users. Examples of this contextual information include: geo-location of application usage, network user types, operating systems, and browser types that are in use on the network.

With the number of applications used over service provider and enterprise networks rapidly increasing, application intelligence provides unprecedented visibility that enables IT organizations to identify unknown network applications. This level of insight helps mitigate network security threats from suspicious applications and locations. It also allows IT engineers to spot trends in application usage which can be used to predict, and then prevent, congestion.

The Application Intelligence portion of a network packet broker (NPB) is used in conjunction with other components (as part of a visibility architecture) to achieve this heightened level of visibility. For instance, a typical visibility solution has network access points (typically taps), the NPB that providing layer 2 through 4 filtering (in addition to the application filtering information), and dedicated purpose-built monitoring tools (like IPS, IDS, SIEMs, network analyzers, etc.). So, the application intelligence portion doesn’t function as an island but rather an integrated component of the overall visibility solution.

Ixia’s new Application and Threat Intelligence (ATI) Processor, built for the recently announced NTO 7300, brings intelligent functionality to the network packet broker landscape with its patent-pending technology that dynamically identifies all applications running on a network. This product gives IT organizations the insights needed to ensure the network works – every time and everywhere. This is the first visibility product of its kind that extends past layer 4 to layer 7, and provides rich data regarding the behavior and locations of users and applications in the network.

As new network security threats emerge, the ATI Processor helps IT improve their overall security with better intelligence for their existing security tools. The ATI Processor correlates applications with geography and can identify compromised devices and malicious activities such as Command and Control (CNC) communications from malicious botnet activities. IT organizations can now dynamically identify unknown applications, identify security threats from suspicious applications and locations, and even audit for security policy infractions – including the use of prohibited applications on the network or devices.

To learn more, please visit the ATI Processor product page, see our press release, or contact us to see a demo!

Additional Resources:

ATI Processor product page

Ixia NTO 7300

Ixia Visibility solutions

Press release

Thanks to Ixia for the article.

Application Visibility—Going Beyond Network Visibility

Managing networks is no longer about bits, bytes, and packets, but about application behavior and user experience. Managing applications and user experience drives the need for deeper visibility into your network, which comes from making higher-value data available to your network monitoring tools.

Most network packet brokers offer functions that include granular filtering, load balancing, and deduplication, and some even have a packet capture/decode function. But Ixia’s solution goes beyond these data visibility functions to also offer advanced application intelligence.

Scott Register, Ixia Sr. Director, Product Management presented Ixia’s newest product offering that represents a fundamental shift in network packet broker functionality. Ixia’s new Application and Threat Intelligence Processor (ATIP) works with the company’s Net Tool Optimizer (NTO) to provide the real-time application traffic and metadata that is vital to garnering a complete picture of your network via external monitoring tools.

Users can see real-time application-level traffic and metadata through a web API, NetFlow/IxFlow, or an internal dashboard. Adding valuable application information to super-charge your monitoring tools, the ATIP delivers information such as: where users are located, what apps they are using, what handset they are using, and who is having an application failure–even for custom apps.

With the ATIP, your monitoring tools will have access to not just packets, but actionable application insight.

Check out Scott’s show-floor interview.

Application Visibility—Going Beyond Network Visibility


Thanks to Ixia for the article.

Ixia Advances Network Visibility with Real-Time Network and Application Intelligence

New Application and Threat Intelligence Processor delivers smart contextual metadata to monitoring tools enabling customers to make better decisions


Ixia introduced its Application and Threat Intelligence (ATI) Processor, which enhances the network, application and security insights IT organizations get from their existing monitoring tools.

This is the first product of its kind and provides Ixia’s Visibility Architecture with the ability to provide real-time information about users and applications in any format needed – raw packets, filtered packets or metadata. With the number of valid and malicious applications rapidly increasing, this unprecedented visibility intelligence helps IT organizations within large enterprises and service providers to identify, locate and track network applications – including proprietary, mobile and malicious traffic.

News highlights

Ixia’s new ATI Processor for the NTO 7300 brings a new level of intelligence to the network packet broker. Distinct Application Fingerprints and a patent pending dynamic identification capability for unknown applications give network managers a complete view of their networks, including application success and failure tracking. By combining rich contextual information such as geo-location of application usage, handset or device type, operating system and browser type, the ATI Processor helps to identify suspicious activity such as unauthorized BYOD usage or business connections from untrusted locations.

Ixia customers can now leverage their monitoring tools in conjunction with the enhanced information provided by the ATI Processor to spot trends in application usage, user behavior and quality of service with more speed and accuracy. This unique insight can also resolve security concerns such as rapidly spotting Command and Control (CnC) traffic from infected systems and policy infractions from BYOD usage. Previously, IT administrators would have to piece together many independent streams of information in a tedious and error-prone process.

The ATI Processor is backed by the same industry-leading ATI program that fuels Ixia’s test equipment, which includes more than 245 applications and 35,000 malicious attacks and combines frequent Application Fingerprint updates with support of user-defined applications. The specialized hardware employed in the ATI Processor optimizes visibility performance by offloading DPI and metadata extraction, improving tool performance and delivering richer insight into network usage, problems and trends. This functionality delivers greater overall value to our customers.

ATI Processor features include:

  • Dynamic application intelligence capabilities to identify known, proprietary, and even unknown network applications.
  • Enhanced insight including geo-location, handset type, operating system, browser and other key user data.
  • Empirical data generation to identify bandwidth usage, trends and growth needs delivered via API or Ixia’s IxFlow extensions to NetFlow.

For more information watch the video describing the new ATI Processor.

Industry commentary

“The importance of understanding application performance, service quality and security integrity from the network perspective has been steadily rising in both enterprise and service provider settings,” said Jim Frey, EMA’s Vice President of Research, Network Management. “Such visibility is essential for timely assurance and protection of complex applications despite growing traffic volumes and increasing diversity in how end users and subscribers access applications and services. Options for DPI processing and identification at the packet access layer, such as Ixia’s new ATI Processor offering, means valuable flexibility for establishing and sustaining effective visibility.”

“Ixia’s ATI Processor takes the functionality and benefits of a network packet broker to a new level by providing WildPacket’s Network Analysis and Recorder appliances with not just packets, but rich data on applications, geography and users.” said Tim McCreery, president of WildPackets. “By offloading these vital CPU intensive tasks, WildPackets can provide even more real-time visibility into the entire network while recording high-speed traffic for advanced forensics. The joint solution allows customers faster troubleshooting, reduced time to resolution, and shorter network downtime.”

Thanks to Ixia for the article.