Mirage protects the LAN

Mirage Networks is wheeling out an appliance designed to halt quick-spreading, LAN-based worms and viruses by neutralizing individual infected machines rather than cordoning off entire parts of affected networks.

Mirage Networks is wheeling out an appliance designed to halt quick-spreading, LAN-based worms and viruses by neutralizing individual infected machines rather than cordoning off entire parts of affected networks.

Called the Mi40 Inverted Firewall, the device intercepts attacks by responding as if it is the targeted host so further attempts never reach the targeted machines. This cuts off the attack without disrupting network access for other devices.

While competitor Silicon Defense performs similar functions, Mirage says its Inverted Firewall can block attacks host-by-host without shutting down access to entire subnets. The Mi40 can intercept traffic from the specific IP ports generating the suspect traffic, making it possible to block the attack but still use the infected machine safely. “They can still do other work on that machine, but it denies the worm the ability to do its damage,” says Michael Disabato, an analyst with Burton Group.

Inverted Firewall connects to mirroring ports on up to four LAN switches at a time, monitoring all their traffic for signs of possible intrusions. These include attempts to reach unassigned IP addresses (something worms do to scan for vulnerable machines), improperly configured packet headers and sudden spikes in the number of IP addresses with which a host tries to talk.

If it suspects an attack against an active IP address, it redirects the attack to itself and drops the traffic. If the suspicious behavior stops and a preset time interval elapses, Inverted Firewall stops intercepting traffic from the suspect machine. The Inverted Firewall also responds to attempts to reach unassigned IP addresses, tying up all the attack threads from the infected host.

Answering messages sent to unassigned IP addresses also can work as an early warning system, says Mark Wilkinson, Mirage CTO and a co-founder of the 2-year-old start-up. Unassigned addresses have a better chance of being hit first or early in an attack that is probing random IP addresses. That is because 80% or more of private IP addresses are unassigned in most corporate networks, he says.

Competing security vendors include NetScreen Technologies and IntruVert Networks, but they are focused more on stopping incursions entering from the WAN.

Inverted Firewall differs from some other intrusion-protection and -detection devices in that it does not sit in-line with traffic, meaning that it does not slow traffic as it works, nor does it block traffic if it crashes.

It also differs in that it bases detection solely on rules about the behavior of network devices, not packet-level signatures. The Mi40 learns patterns of normal network traffic over time, helping it decide what is suspect traffic.

Mi40 Inverted Firewall is expected to be available in the middle of this month and costs $12,000.