It looks more like an orange paper stapler made of plastic than a fully-featured intrusion prevention device, but we didn’t let that put us off giving Arxceo’s Ally ip 100 the benefit of the doubt. Do complex security devices necessarily have to come in sinister enclosures with blazing lights and multiple interfaces?
Physically, technology doesn’t get much simpler than the Ally, which has only three places into which anything can be plugged; one 10/100 for the LAN, another 10/00 for the WAN, and a tiny 4 volt power port. It has a few status lights though, almost too small to see from any distance.
Once you’ve waited for the unit to boot its internal web server – several minutes in all – configuration can be pondered. To make it invisible to potential attackers, the Ally has no IP or hardware MAC address, and as it sits inline as a packet bridge it requires no client re-configuration.
Based on an embedded Linux kernel, around a small pot of memory and an Intel microprocessor, the principle of the Ally is to monitor for a range of security threats without the need for signature-based discovery.
Welcome to the world of behaviour-based detection, a sometimes controversial but always intriguing way of looking at security. Do you stop attacks you already know of using a profile from which to identify and stop them? Or do you block the types of things an attack does, and hope that the generic approach works?
The latter is well-established in higher-end products, and is only now coming to mainstream systems such as the Ally. The full defence specification of the Ally overlaps with conventional IPS system, and includes:
- Anti-IP address spoofing protection
- Stops DDoS and DoS attacks, including bouncescanning (see below)
- Anti-DNS manipulation, including cache poisoning and tunnelling
All very interesting, but one of the more intriguing features buried within this is what the maker describes as “anti-reconnaissance countermeasures”. This feature allows the admin to set up the Ally to reply with false responses to ping requests, say, the simplest means by which hackers find out what resources are on a particular network. Basically, this sends back unreliable information to a potential attacker leading to confusion.
Systems attempting port, DNS or non-existent destination scanning of any kinds are automatically blacklisted and blocked.
The unit logs all events locally, or they can be chucked SNMP fashion at a remote management information base (MIB). It would have been nice to have had a way of generating an alert email to a remote email address because this would suit the SME type of network the Ally is likely to be used on.
The Ally’s considerable abilities belie its humble looks, and this will probably be its biggest problem when it comes to sales. If you can overcome this first impression, there’s a lot to like about it. There are some who will see most of what the Ally does as something that should come with their firewall, but that misses the point. The Ally’s job is to look at network traffic for anomalies, not worry about what it is protecting. Moreover, it does this without complex configuration or management – it works out the box – and the need to develop policies.
It is a case of switch on and more or less forget.
The Ally ip 100 is distributed in the UK by Lindy Electronics.
Can your firewall and software clients do most of what this device does? Probably not all of it. The Ally is an oddity, out on its own. Having said that, protecting yourself from things like DDoS attacks is something that is turning up in firewalls, so buying into its promises is something that needs careful assessment.