Sep 28 2015
Security

Product Review: FireEye NX-1400 1U

The threat prevention appliance stops attackers in their tracks.
by

David Strom is the author of two books on computer networking, along with thousands of articles on various IT topics. Follow him on Twitter: @dstrom

As cybercriminals exploit infected web pages to launch targeted attacks on state networks, security appliances are essential to thwarting them. The FireEye Network Threat Prevention NX-1400 1U appliance can protect up to 100 users from a variety of zero-day malware and multiprotocol attacks.

Products that employ signature-based scanners such as traditional anti-virus tools and less capable network-based intrusion prevention systems aren’t any match for these kinds of blended attacks. The latest exploits automatically look for weaknesses in endpoints (such an outdated version of Adobe Flash or an antiquated browser) and deposit malware.

The NX-1400 complements other security tools because it focuses on stopping the most advanced and pernicious malware from permeating the network.

How the NX-1400 Catches Exploit Attempts

When the NX detects an exploit, it examines network activities such as downloaded files or connections to the malware’s command-and-control servers or DNS queries. The FireEye appliance alerts security managers to potential threats as they’re happening in near real time. Managers can set the product to automatically block attacks or operate in a pass-through mode.

The NX performed as expected, showing the path that pieces of deliberately introduced, flash-based infections took through our network of test Windows 7 machines. These infections were typical of similar attacks that would take just a few minutes to execute, yet the security appliance detected and neutralized them and showed us how the infections would have worked if they hadn’t been stopped.

Like other security vendors, FireEye has its crowdsourced Dynamic Threat Intelligence subscription service. Millions of network sensors based all over the world are constantly reporting current malware tactics and threat activities, and this information is incorporated into the analysis used by the NX products. A subscription offers hourly updates, and for an additional fee, you can also receive information about threat actor profiles and why someone might target your organization.

FireEye offers a variety of NX models, and the NX-1400 is the second smallest in this line. Organizations that have a larger number of users or a lot more network throughput should consider a device with greater capacity.

Specifications

Ports: 2Gbps network monitoring
Storage: 500GB for logging and audit files
IPS Rating: 20Mbps
Users Supported: Up to 100 Windows PCs
Threats Blocked: Both inbound and outbound malware types

How the FireEye NX-1400 Stops Attacks

Most modern browser-based malware is highly sophisticated in how it operates. First, the malware’s code checks for particular vulnerabilities in the PC that has brought up an infected web page. Once a way into the PC is found, the exploit places code in memory and downloads a file to launch an attack. Most security products either look for a file signature, some kind of executable program or other evidence of malware, and the attackers have learned to evade many of these searches.

The FireEye NX-1400 threat prevention appliance excels in pulling all the pieces of an attack together: For example, the downloaded code may span across a Flash object, something that resides in memory and some Javascript that is part of the web page itself. It does this by having a series of virtual operating system images that run on its box to see what happens when a user brings up a particular web page, and what results from that visit.

Instead of a traditional intrusion detection system that uses a catalog of previous attack signatures, FireEye looks at what is actually being compromised by the attack: what network connections are made to botnet control servers, the actual data on a PC that is sent across the Internet, and a running process that can be used to run remote control sessions on the infected PC. The NX-1400 blocks those activities and records, creates a summary and reports the appropriate alerts to security managers.

FireEye

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now