The FireEye difference
Virtualization is FireEye's key differentiator. Its appliances run multiple versions of Windows OSs, browsers, and plug-ins, each in its own virtual machine. Malware actually compromises a target (virtual) machine and then and only then does the FireEye software record a successful attack. Network managers can configure the FireEye appliance to block such attacks, preventing their spread into the enterprise.
We tested the NX 10000 appliance, FireEye's highest-speed device with two 10G Ethernet interfaces. It focuses specifically on Web-based attacks. The company has other product lines for email, mobile, and forensic analysis, but we did not test those.
The NX 10000 operates in tap or inline mode, with the latter optionally able to block attacks. Its content library is updated daily to include new exploits, something we verified in testing with recent zero-day vulnerabilities.
FireEye's technology complements rather than replaces an intrusion detection system (IDS). Unlike an IDS or IPS, it doesn't have a library of thousands of attack signatures. Instead, it looks for actual compromises on its virtual machines. The company says an IDS module is in beta testing, and is slated for general release by the end of the second quarter.
Once the appliance identifies multi-stage malware, it triggers an alert. With a conventional IDS/IPS, a malware alert might say something like "file trojan.exe was detected." In contrast, an NX 10000 alert shows each component of the malware, including callback URLs used to contact command-and-control networks, as seen below.
The appliance's virtual machines represent various service pack levels of Windows 7 and Windows XP, along with many combinations of browser and Adobe Flash and Microsoft Silverlight versions. FireEye wrote its own hypervisor that makes virtual machines appear to run on bare metal. That's useful to thwart exploit kits that skip execution on machines if they detect VMware hypervisors.
The version we tested doesn't yet support Mac OS X virtual machines, though FireEye says Mac support will be available in the third quarter.
Like all security devices, the NX 10000 only detects attacks it can see, and that has network design implications. Placing the appliance at the network perimeter makes sense. So does a hub-and-spoke design that aggregates Internet traffic from branch offices and telecommuters. Enterprises with more decentralized designs might instead consider smaller appliances for each site.
One drawback to having a large appliance at a central site: The NX 10000 lacks built-in high-availability support, instead relying on external systems such as load balancers to avoid a single point of failure.
We tested the NX 10000 in terms of multi-stage malware coverage and performance. We ran coverage and performance tests in both tap and inline modes, and conducted performance tests both with and without attack traffic present.
Sign up for CIO Asia eNewsletters.