Arxceo Ally ip100

Intrusion-prevention devices, unlike intrusion- detection systems, don't just report an intrusion attempt - they react to it as well. These devices are normally found at the enterprise end of the market, but the Arxceo Ally ip100 provides intrusion-prevention services for the SMB at a fraction of the price.

Initial impressions are deceptive. This bright orange device is tiny, but sports two 100Mb/sec Ethernet ports and 64MB of SDRAM under the control of an Intel XScale PXA255 32-bit RISC processor. With an external power supply and no fans or hard disks, it's totally silent.

Arxceo describe the Ally as an anti-reconnaissance device, using anomaly-based intrusion detection. In practice, this means its TAG-UR-IT software detects the precursors of an intrusion attempt, including port scanning, DNS cache poisoning, DNS tunnelling, attempts to reach non-existent addresses and address spoofing. It then rejects the traffic. IP addresses associated with suspect traffic are automatically placed on one of three temporary blacklists, depending on the cause of the blacklisting. They remain there for a user-specified length of time. Persistent nuisances can be placed on permanent blacklists.

Installation was simple. The only documentation provided is a quick-start sheet with installation options, but it doesn't need much more. There are detailed explanations built into the browser-based management interface and further information is available on Arxceo's website. We installed it between our internet connection and our firewall so that it could intercept traffic before it reached our LAN. We left our own Snort IDS running to see if anything got through. Apart from configuring the administrator account, SNMP and syslog messaging options, we used the system defaults throughout. We then ran several internet-based security scans to see what would happen, and left the device in place for several days before comparing our previous firewall logs and IDS reports against those obtained with the device in place.

The device reported the internet-based security scans as port scans and blacklisted them. Most of the internet-based systems gave us a clean bill of health, with no response to any of their probes. One site reported open ports and wasn't blacklisted by the device. Further examination showed that the site had been fooled by the Ally's address authentication algorithm, which was deliberately sending back misleading information. When we compared our firewall logs, we saw a reduction in the number of intrusion-detection entries, and the usual suspects were conspicuously absent. The syslog showed that they'd been detected and blocked by the device and never reached the firewall.

Security can be compromised from the LAN as well as the internet, so port scan detection can be enabled on the LAN side as well. Another security leak can be caused when data in Ethernet packets doesn't fill the minimum 64-byte packet size. The slack bytes at the end may contain useful information to a hacker. The Ally ip100 clears this data before it leaves the network.

There's an issue in that the device represents a single point of failure. It fails closed and the internet connection is lost. There are no fail-over or standby options, so you'll need a spare on the shelf. The Ally isn't a total solution, as it won't detect an SQL injection exploit, for example. But it does deal with common pests with the minimum of fuss.

Author: Ian Parsons