Layer 2 IPS

Existing IDS systems record network traffic, analyse packets, and by analysing data patterns can detect threats and attacks. As a rule, only the TCP/IP data stream is analysed.

The process itself is, nevertheless, rather elaborate, since detection must be carried out individually for each network segment. A large data volume, such as in Gigabit networks, may involve discarding packets for performance reasons, thus rendering reliable security evaluation useless.

Monitoring the network, macmon prevents unauthorised devices from transmitting ethernet data packets (Layer 2). macmon does not require sensors or traffic analysers for its operation.  By monitoring  ARP-Caches, attacks based on address manipulation can be intercepted.

Implementing and operating macmon is rather effortless, even in highly performant networks, since no sensor technology is employed.

macmon´s AIR Active Incident Response

IDS systems not switched inline will detect attacks from a specific  network address, but can only warn, not intercept. As a rule, security systems detect attacks oriented along IP addresses. Since macmon knows the distribution of all devices in the network, it is able to detect the switch port to which an unauthorised or noncompliant device is connected to, and can initiate further rule-based response. Thus, macmon makes an  active Intrusion Prevention System (IPS) out of a passive IDS!

macmon, the „Incident Response System“ offers interfaces to existing  security solutions such as Computer Associates´  Security Command Center, or to solutions from Sourcefire and SNORT.

The macmon „Active Incident Response Option“ allows threatening devices detected by an Intrusion Detection System (IDS) or a security management system to be automatically detached from  the network or moved to a quarantine network.

Further information available under download center