Home & Office

Startup touts the Terminator of security appliances

MARS stands for Mitigation and Response System. If the product works as Blask describes, it could use a name that more accurately communicates its function--real-time threat detection and quarantining.
Written by David Berlind, Inactive

Here's something you don't see too often. A product--in fact, an entire company--launching two months ahead of schedule. Although it was originally scheduled to emerge from the startup shadows on November 15, Milpitas, CA-based Protego Networks will officially open its doors earlier than planned after a bit of word-of-mouth advertising sparked some unexpected demand for its MARS line of security appliances.

"Without naming names, we have several government organizations telling us that they need the product now," Chris Blask, Protego's business development vice president, told me. "So we moved the company launch and the FCS (first customer ship) date up to September 15."

MARS stands for Mitigation and Response System. If the product works as Blask describes, it could use a name that more accurately communicates its function--real-time threat detection and quarantining. The tool appears to be the sort of "Terminator" that network managers were looking for as they wrangled with MSBlaster and Sobig.F during the last few weeks.

Like other security information management (SIM) offerings from companies such as NetForensics and Network Intelligence, MARS understands both proprietary and open management protocols and can aggregate data from a multitude of network sources, including routers, switches, bridges, intrusion detection systems (IDS), and firewalls -, and assimilate that information into a snapshot of the havoc that an intrusion is wreaking. "This sort of functionality, where a system says 'your network was torn to pieces and I can tell you why' is rather commonplace these days," says Blask. "Anybody can do that, so we had to go beyond diagnosis, with something that takes action."

Enter the "R" for "response" in MARS. Through a browser-based console (IE 6 and above is required), MARS, as Blask describes it, offers network managers a visual, real-time view of network activity. The view uses changing colors to animate the effects of an attack-in-progress, much the same way the television commercial for Gatorade shows how a few gulps of the sports drink can reinvigorate the translucent likeness of a nutrient-starved human.

Hot zones, which are more like infestation areas where attacks have firmly manifested themselves, show up in red. As routers, switches, firewalls, and other information sources report in with various bits and pieces of network performance information, MARS correlates the data into a visualization of the attack, identifies where action can be taken to cut the attack off before it spreads, and, via protocols like SNMP and Telnet, will even issue the necessary management or reconfiguration commands to automate those actions. According to Blask, some customers like this sort of transparent automation, whiles others prefer human intervention to approve an action.

As it turns out, MSBlaster is a poster-child for showcasing MARS's talents. Configuring MARS happens in one of two ways. MARS can be programmed by a network manager to put specific devices and agents (such as Cisco's Okena technology) under its surveillance, or it can be set to auto-discover everything on the network that's capable of reporting diagnostic information. In the latter case, the network manager must enter the network's boundaries to keep MARS from trying to discover devices on the Internet.

Once either of these two steps are completed, MARS draws a visual map of the network that shows all of the data collection points. In the case of MSBlaster, the worm propagated itself via port 135. According to Blask, if a MARS system had been keeping its eye on a network that was victimized by MSBlaster, the unusual amount of port 135 traffic across a variety of afflicted observation points would have bubbled-up in to the MARS console as a potential attack underway. "At that point, if action should be taken, the console operator can be given specific instructions and exact configuration information to disallow port 135 traffic to spread from the source of the attack, or MARS can intervene with an automated response. The attack hits a road block and is subsequently quarantined," Blask said.

Editorial standards