1 / 14

Overview of Automated Quarantine Engine (AQE)

Overview of Automated Quarantine Engine (AQE). Automation of isolation of misbehaving network Devices. Agenda. What it does Network Components Hardware Components Configuration How it works Screen views Logging Competition Performance and Limitations How to sell. What it does.

lucine
Download Presentation

Overview of Automated Quarantine Engine (AQE)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of Automated Quarantine Engine (AQE) Automation of isolation of misbehaving network Devices

  2. Agenda • What it does • Network Components • Hardware Components • Configuration • How it works • Screen views • Logging • Competition • Performance and Limitations • How to sell

  3. What it does • The AQE is designed to quarantine computer devices on the network that have been detected by an IDS to have violated certain policies. These policies can be any or a combination of the following: • Virus related signatures (traffic patterns) • Blocked web sites • Hacker attempts (traffic indicating an attempt to launch an attack) • Violation of any policies that have been setup in the IDS

  4. Layer 3 Switches IDS System (Pre-Existing) AQE Server Layer 2 Switches Network Components Network Users

  5. Hardware Components • Hardware requirements – server capable of running: • OS (Linux Redhat 9 tested) • Perl version (included in Redhat 9 tested) • Web Server (Apache/PHP 4.3 included in Redhat 9 tested) • SNMP Walk (Net-SNMP included in Redhat 9 tested) • Layer 3 switch – AOS supported. Must have MIB2 IP Net Media Table (ARP table), theoretically possible to support others • Layer 2 switch – AOS supported

  6. How it works • IDS (or other system) identifies misbehaving device and sends the offender’s IP address to AQE Server • AQE server then • Searches L3 routers for IP address (return MAC address) • Tells all switches to create a MAC Address VLAN rule to move offending MAC address into Quarantine VLAN • Options • Automatic – MAC is moved without intervention • Make Candidate – MAC is put on Candidate list (requires user intervention to move into Quarantine VLAN – useful for IDS with a lot of false positives) • Never banish – MAC is not allowed to be banished

  7. Candidate Screen

  8. Banned Screen

  9. Software Elements (Deliverables) • Zip file containing • Perl scripts • Web pages • Configuration files • Comes Attached to a Professional Services Engineer ONLY. • Server with Apache, Linux 9.X or above • SNMP software • Perl

  10. Logging • ASCII log file rolled over each day • Possible to send email upon automated action • Possible to write syslog event • Possible to generate trap to send to OmniVista for Notification Service

  11. Performance and Limitations • Scalability • Each MAC address moved into quarantine VLAN requires one MAC Address VLAN Rule • In AOS, there are a maximum of 1024 rules per switch • Performance • Estimated 30 to 120 seconds from the time the IDS generates the command to the time the device is moved into quarantine VLAN • High variance expected due to server capabilities, network load, IDS load, etc. • Performance expected to decrease as monitored network size increases.

  12. What it does not do • AQE requires external IDS system • Security polices defined and in place. • IDS configured and functioning • Snort functioning today, others should be possible. • AQE is a cop, not a lawyer or judge • Security policies not checked • Enforcement only • OmniVista has no interface/control/awareness of AQE • AQE can be triggered by systems other than IDS. All that is needed is an IP address to start process.

  13. So how do I Sell it? • Part Number is 801915-00 • Price is on WW Price list • Not to be sold without Professional Services AQE Service. • Customer support is the same engagement as a new installation. It has a 90-day warranty on it. • Marketing slicks • What about positioning ideas, vertical positioning… • Can be sold through BP

  14. Contacts • Ask John Matthews  • EMAI • Roger Fonseca, +33-15-566-3980 • APAC • Wyn Thomas, +86-138-1786-5705 • NA • Joseph Muhitch, +412-243-6291 • E-Mail request • end-service-sales-na@ind.alcatel.com (North America & APAC) • end-service-sales-emai@ind.alcatel.com (EMAI)

More Related