Technology


Current network security technologies are no longer capable of providing effective protection against the ever-increasing and ever-changing cyber threat landscape. The perimeter has become porous as most threats now use HTTP, HTTPS and various email protocols as vectors to enter the network. Next Generation Firewalls and Intrusion Prevention Systems are no longer sufficient to detect and block threats from entering the network. The current generation of network security technologies can only protect against basic and outdated attacks. A new breed of radical new technologies is required to protect against advanced persistent threats and determined attackers.

cognitix has combined German engineering and innovation with decades of user and developer experience in network security to develop two totally new and radical technologies that have the potential to protect the network against the most advanced, insidious and persistent threats.

These two technologies are Inline Real-time Correlation and Dynamic Network Segmentation.

Inline Real-Time Correlation


Today’s attacks on your network are hard to detect. Attackers try to hide in seemingly harmless communication to prevent detection by your Next Generation Firewall and other network security systems. The only way to detect the latest generation of cyber threats is to analyze the behavior of the network in depth.  Machine learning methods can detect subtle changes in the communication. Correlating all traffic flows and their associated events, by detecting the relationship and inter-dependencies between seemingly unrelated events in the network, also point to threatening behavior. Analyzing all logs on the firewall, a correlation engine can discover related events in the network traffic across time and across multiple, seemingly unrelated flows. Once relationships between seemingly unrelated events are discovered, they can be analyzed further to discover if they contain any threats or abnormal behavior which can be the indication of an attack.

Today correlation is done offline by Security Information Event Management systems (SIEM) with a time lag that can range from a few minutes to a few days. However, what is really needed is a correlation engine that is inline and real-time to detect and stop attacks before they unfold and cause major damage. For the first time, cognitix has developed a high-performance inline correlation engine that can analyze millions of flows and packets in real-time and detect and correlate relationships between seemingly unrelated events regardless of whether those events are occurring in real-time or have happened in the past.

With the cognitix correlation engine, you can build scenarios of multi-staged policies to detect similar or related events in all current and historic network flows. All scenarios are evaluated for each network flow and no traffic can pass through the firewall without being handled by the correlation engine and its scenarios.

Below are some use-cases that inline real-time correlation can be used to:

  • Reduce the false positives of an Intrusion Prevention System (IPS) engine by providing IPS policies that are enforced only, and only if, several IPS events are detected for the same host or group of hosts in a pre-determined period of time.
  • Quarantine a host if it has visited a low-reputation website and has established SSL connections to a country with which it has never previously communicated before.
  • Isolate a host that is accessing a website of high-risk and low-reputation and afterwards initiates outgoing connections with the typical decentralized communication protocols such as IRC or TOR.
  • Quarantine a host if it had contact with a “malicious” host within the network and the malicious host was accessing a URL with bad reputation in the minutes preceding the communication.
  • Isolate a host attempting a high number of connections to different hosts within a short time. This behavior is typical for an infection trying to spread or an attempted Denial-of-Service attack.
  • Isolate a host that attempts a high number of connections on different ports to the same host within a short time. This indicates a port scan to search for vulnerabilities.
  • Isolate all hosts involved when more than one hosts transmits a file with a specified name or name-pattern to a certain country.
  • Shape the throughput of RDP sessions when more than two clients establish RDP sessions to the same server.
  • Isolate the client when a host is detected that is using DNS-tunneling.
  • Isolate hosts that established an SSH connection to outside machines within 24 hours after visiting a website with bad reputation and then downloading an .exe-file.

For more information download our white paper on the Advanced Correlation:

Download Whitepaper here

Layer 2 Firewalling


Only protecting a network at the outer perimeter is no longer sufficient. Protection also needs to be implemented inside network. Taken to its logical conclusion, each device would have to get its own segment with a perimeter firewall. Some Next Generation Firewalls provide this functionality using a concept of zones.  Each zone has its own IP network and can be used for only one device . This is an administrative overhead that is not feasible for a number of practical reasons . The reason for this approach is that current firewalls are implemented as layer-3 devices, basically as routers with an integrated firewall.

cognitix has taken a different approach and has incorporated the next generation firewall into a layer-2 device. The cognitix Threat Defender can be installed at any point within the network. It can use the layer-7 classification, IPS, URL classification, Data Leak Prevention, inline real-time correlation and enhanced reporting capabilities on all, or only certain, segments of the network. Essentially, the firewall is inserted in the cable between your devices. cognitix has made the firewall a part of the very fabric of the network.

By building a layer-2 next generation firewall, cognitix has also fixed one of the major problems facing administrators today. It is currently difficult to stop compromised devices on the same layer-2 network from accessing other devices on the same network without restrictions. Some administrators solve this problem by adding complex features to their switches, such as “Private VLANs”. This will unfortunately block legitimate traffic between devices. A more elegant solution allows hosts to communicate with each other freely, while ensuring that their access can be automatically monitored and automatically restricted based on Layer-7 contextual policies.

cognitix Threat Defender can act either as simple connection between two devices or as switch between several devices. This  will depend on the number of network interfaces of the server onto which the cognitix has been installed and is devices   as shown in the graphic.

Layer 2 firewalling

By installing cognitix Thread Defender on a port-dense server you can use it as a “Security aware Layer-2 Switch”. It does not have the limitations of “Private VLANs” and administrators are able to block only the risky and specific connections between hosts in the L2 network. This allows administrators to use all the Next Generation firewalling capabilities, the network segmentation, the inline real-time correlation and the enhanced reporting for all traffic between all devices in the network.

Adding security with cognitix Threat Defender is as easy as adding a switch between your devices.

Try Our Threat Defender!

Dynamic Network Segmentation


Traditional networks within a company are secured by segmenting the network into smaller physical segments, separated by defined perimeters. This is mainly because current firewalls can only operate at the perimeter between network segments. cognitix has overcome this limitation using the concept of enriched Network Objects.

Enriched Network Objects are used to group hosts and devices together based on attributes that can be used to determine which devices are part of a Network Object. These attributes are:

  • inclusion and exclusion of individual IP addresses and whole CIDR-notated networks, both in IPv6 and IPv4
  • Physical Network Interface on the firewall
  • VLAN tags
  • MAC addresses

Any combination of above attributes can be used to define which devices are part of a Network Object. The Network Objects are flexible as they can be defined broadly using only one of the above attributes. For example, it is possible to have a Network Object that matches all devices in VLAN 21, but we can also introduce very specific conditions where only devices with IP network 10.10.10.0/27 in VLAN 5 and connected to the physical interface eth8 of the firewall are matched.

The administrator in other Next Generation Firewalls has to define many items, such as interface, zone, VLAN, host IP addresses in separate sections and then implement them all  individually in each firewall rule. cognitix has removed that complication and merged these items into a simple but powerful Network Object, where a Network Object is created once and can be used repeatedly in multiple rules simultaneously.

Network Objects are used in the firewall rules to match the source and destination IP addresses of flows. cognitix applies firewall rules to the traffic initiated to, and from, devices in the network using Network Objects. Network Objects are defined once and can be used in several rules to apply a whole set of rules to a group of devices without redefining the group for each rule . Several different sets of rules can be applied to a device as a device can be part of several Network Objects at the same time. Multiple policies can be layered and applied to a device as it is part of several Network Objects.

Administrators can use cognitix Network Objects to easily create logical network segments, introducing these objects in security policies to add protection between their network segments.

Dynamic Network Objects

To extend the functionalities of static Network Objects, cognitix developed the concept of Dynamic Network Objects. These are lists of individual IPv6 and IPv4 addresses in which addresses can be added dynamically and are removed either by explicit action or by an automatic timeout. The functionality of Dynamic Network Objects has been extended by adding a new type of action to the firewall rule language. This action adds the source or destination IP of a flow to a Dynamic Network Object. The Dynamic Network Objects can then be used to match source and destination IP addresses of flows in further firewall rules to dynamically apply policies to all traffic of a device depending on the behavior of that device.

This is a radically new concept that has never been seen before in any other firewall. This is a  paradigm shift in firewall rule management. Dynamic Network Objects can bring automation to network protection and prevent administrators from manually maintaining huge and unwieldy network object  lists.

Administrators using contemporary firewalls have to consult reports and find the hosts in the office network which have contacted URLs with a bad reputation score. They then need to create a new network object and manually assign those hosts. Then they have to add a policy to restrict to that network object that denies its access to important database servers.  If the next day another host in the network visits another URL with low-reputation score, that host would not get blocked by the same policy since the host is not included in the network. The cognitix Threat Defender would create a simple firewall rule to add visitors of bad reputation URLs to a Dynamic Network Object ‘bad reputation visitors’. A second firewall rule would deny that network object access to the important assets within the company. These two firewall rules would be automatically effective for weeks without the need for the administrator to look at a single report to find misbehaving hosts or to edit a list of hosts.

Another problem with contemporary firewalls is the inability to completely block access of internal hosts to the rest of the network once the Intrusion Prevention  System, or other malware detection systems, has identified these hosts as infected. The administrator whas to manually sync the list of offenders from the IPS with those of the blocked hosts in the firewall. None of these hosts in the network object will be able to retrieve their access rights after the issues have been resolved until the administrator has removed these issues manually. By using Dynamic Network Objects, administrators can easily define a policy to automatically add all source hosts in the network where the IPS has found an infection into a Dynamic Network Object.  The various access restriction policies can then can be applied on that object. The administrator does not need to manually find the offending, and possibly compromised, hosts in the reports nor to add them to the network object on a daily basis. The entire process is done automatically, without further involvement by the administrator. The timeout feature of Dynamic Network Objects blocks those special hosts for defined amount of time, and not until the network administrator remembers to reinstate t hem.

In combination with the Correlation Engine described above, the Dynamic Network Objects allows for a reaction to changed or unwanted behavior with policies that apply to the whole device and not just on a single flow.

For more information download our white paper on Dynamic Network Segmentation:

Download Whitepaper here