Now shipping in version 4.0, SingleKey™ IA Firewall is a multi-protocol application firewall that is plugged into a data center switch port to form a scalable and highly manageable Secure Network Fabric.
Information Assurance seeks to provide security, integrity and availability for critical enterprise applications, through the deployment of operational controls such as Layer 7 firewalls. Next-generation firewalls, which have generated much marketing fanfare recently, typically provide application-detection and intrusion-detection functions rather than IA.
A properly implemented IA capability resides in the network infrastructure rather than at servers or endpoints. It protects applications and data through behavioral base-lining and proactive controls that can be highly granular and application-specific. IA automates responses to application vulnerabilities as they become apparent, and to “zero-day” and other threats that are identified through threat intelligence.
In addition to being the industry’s most advanced Information Assurance and Application Protection Firewall, SingleKey™, comes with proprietary authorization and entitlement features. It integrates directly with enterprise event-management, logging, reporting and analytics systems, threat-intelligence systems, enterprise identity management, and SSO. SingleKey™ Policy Language (SPL), the most powerful policy-specification language in the industry, defines connection and data constraints for all major application and database protocols (including NoSQL, Cassandra, and Hadoop) used in enterprises, as well as a large and growing variety of protocols used in industrial automation and control. When operating as an inline firewall, SingleKey™ can provide mandatory (blocking) or advisory (non-blocking) enforcement of SPL rules, as well as alerting, logging and reporting. The enforcement mode is highly flexible and can be set on a per-rule and per-flow basis. When operating out-of-band, SingleKey™ provides advisory enforcement, alerting, logging and reporting.
With years of development and production experience, SingleKey™ supports a range of critical enterprise applications, including databases, email systems, identity and entitlement management, Financial Information eXchange (FIX) communications, instant messaging, and collaboration. SingleKey™ has unique features that make it the best platform for protection against internal as well as external threats.
Like other products, SingleKey™ directly remediates a large class of network-level errors, threats and vulnerabilities. Unlike other products, however, SingleKey™ also includes an Adaptive Heuristics capability; an intuitive learning tool that enables SingleKey™ to automatically tune its internal rules to match the characteristics of the application being protected, down to a very fine level of granularity. And these heuristics can be fine-tuned by system administrators.
Bayshore Networks Information Assurance Firewall vs. other enterprise firewalls:
| Bayshore Networks IA Firewall |
Stateful Inspection Firewall | Web App Firewall | Next-gen Firewall |
|---|---|---|---|
| Multi-protocol App Protection | Allow/Deny Based on Ports | Http only App Protection | The “New” UTM (FW+IPS+ App Control) |
| Stop targeted attacks: Insider, APT, Sovereign States, SCADA | Simple Network Locks | Compliance / PCI | Manage and Secure Web 2.0 traffic |
| Full Stream Layer 7 Analysis | Layer 3 | Layer 7 on Http Only | Layer 4 Application Prioritization |
| Protect critical authorized apps | Limited App Protection | Protect http apps | Detect/Block Unauthorized apps |
| Deployed in the infrastructure | Mostly Edge | Edge / DMZ | Mostly Edge |
Bayshore’s approach to mitigating Advanced Persistent Threats (APT) and insider attacks.
APT remediation through endpoint-cleanup is the approach favored by most of the relatively few organizations that are seriously addressing the problem. This is primarily because it’s simple and straightforward. Periodic sweeps of the endpoints in an internal network seek to identify computers in which critical system files have been modified or rogue processes are running. These hosts are then taken offline and either rebuilt or replaced.
While straightforward, this approach is fundamentally reactive. It relies on static analysis (which doesn’t succeed in detecting all attacks), and operates out of band. It would be ideal to combine endpoint analysis with a real-time proactive approach that can detect APT behavior in real time, and selectively report, obfuscate, or even block the behavior.
At Bayshore Networks, we have developed exactly this model of APT response. Our approach depends on continuous, in-line analysis of traffic on all network links which access critical servers and information resources. The approach is equally suitable for enterprise networks and for industrial control systems.
In order to reliably detect APT behavior as it happens, it’s necessary to analyze network traffic at the stream level. APT attacks with privilege escalation operate through application accesses that, to network monitors, appear to be fully normal in terms of 1) network source addresses; 2) protocol syntax-correctness; and 3) authentication/authorization.
This means that existing network monitors and firewall products are unable to detect and characterize APT.
The Bayshore Networks approach combines three essential features to solve this problem:
- •Pervasive network presence. Also dubbed “secure network fabric,” this requires that a protocol-inspection capability be present on all links in a complex application structure, including the links to secondary application tiers. Existing firewall approaches typically are restricted to Internet or WAN-facing links, in essence isolating servers from users, but not servers from other servers.
- •Deep protocol analysis. This requires Layer 7 analysis of protocol streams, not just packets. The stream inspectors must be able to isolate all elements of a data protocol, especially those containing data inputs from clients. So-called deep-packet inspection does nothing to address this requirement.
- •Heuristic base-lining. The application inspection system must construct a rich and multi-dimensional baseline of the behavioral patterns of each application, and store the baseline in a database that can be continuously expanded. The database is then used to detect anomalous behavior in real time. The detected anomalies are often indicative of APT attacks in progress. The predictive power of the heuristic baseline is dependent on the granularity and dimensionality of the data collection, a requirement that must be balanced against the impact on application performance.
See Bayshore White Paper on “Advanced Persistent Threat: From Detection to Remediation”
View our white paper »
Bayshore Networks
Follow @Bayshorenet
EMail Us
Connect with Bayshore