Security reaches TippingPoint at firm

When Cannex Financial Exchanges Ltd.’s firewall came under attack during the virus flood of 2003, the firm knew it was time for a change. The Nachi worm, one of many that hit the Internet last summer, took its toll on Cannex’s Checkpoint firewall, causing the device to almost max-out.

The event caused a domino effect at this Toronto-based financial services firm. Its tech staff had to make sure nothing was getting by the firewall, research solutions and begin patching servers. Cannex also faced a big Web bill.

“Our Internet bandwidth was way out there,” said Steven Waters, the company’s vice-president of systems. “We pay on a burstable band-rate. We were going up into the next tier.…We had to control it at our end.”

Cannex got lucky in one respect: its service provider Q9 Networks Inc. waived the extra charge of the Nachi-borne bandwidth. But Waters wasn’t willing to rely on luck to save his business from future attacks. He figures he had two options: he could beef up the firewall to handle greater bandwidth. But that would be a temporary solution at best. A quick-moving virus would slow even the fattest firewall.

Or Waters could implement a sort of intrusion prevention device – something to guard the firewall and drop incoming packet streams that appear to be malicious. Enter TippingPoint Technologies Inc. and its UnityOne Intrusion Prevention Appliance, which does just that. Waters had the box installed in front of the firewall to seek out malicious data streams.

According to TippingPoint, the UnityOne uses an Agere Systems Inc. network processor and custom-built chips to filter out unwanted data. This hardware-based solution, dubbed the Threat Suppression Engine (TSE), means the UnityOne makes quick work of assessing and handling incoming streams.

TippingPoint updates the TSE’s filters as the company comes across new threats. The vendor calls this the Digital Vaccine service. “It’s analogous to what you get in the antivirus world today,” said Marc Willebeek-LeMair, CTO of TippingPoint in Austin, Tex. The UnityOne recognizes more than 800 kinds of Internet threats, including the Nachi worm, trojan horses and denial-of-service set-ups. It can handle bandwidth ranging from 200Mbps to 2Gbps. UnityOne is meant to complement a firewall. It doesn’t provide the network addressing and VPN termination functionality that a firewall provides, although that could change.

TippingPoint might build an all-in-one, firewall-intrusion prevention product. But “right now most of our customers are looking for best of breed products in each category,” Willebeek-LeMair said. “They’ve got a firewall; they’re happy with it.”

That’s the case at Cannex. Waters said the company would consider a combined firewall-intrusion prevention device, but not necessarily one built by TippingPoint. “If Checkpoint was to put something like this (UnityOne) in their own product, we would probably look at that more seriously than if TippingPoint was to try to take on the firewall business….TippingPoint is still a new company. Checkpoint is an established company, a larger company. For them to bring on new technologies, I’d feel a lot more comfortable with that.”

Waters said he’s impressed by the UnityOne. At Cannex, it’s set up to monitor not only data coming into the company, but also data that’s trying to get out. “If somebody brought in on their laptop a worm and they’re trying to go out through our firewall, TippingPoint would pick that up.”

As well, the UnityOne is designed to act like a passive switch should something go wrong with the filters, so it doesn’t interfere with network performance. Waters said the UnityOne cost more than $50,000 after taxes and the implementation fee, but he also said it’s worth the price.

“It wasn’t necessarily the cheapest solution…but when these types of things happen, money almost is no issue.”