Jérôme is responsible for research, development and innovation at Qosmos, a leading supplier of Network Intelligence technology.
Today, I just want to highlight a webcast sponsored by Qosmos and presented by Brian Partridge, Vice President of Enabling Technologies at Yankee Group.
This webcast describes how telecom solution vendors can leverage Network Intelligence Technology for three critical areas of the telecom value chain:
• Billing & Charging
• Revenue assurance
• Service assurance
It is interesting to get the Yankee views on network intelligence and the similarities with our own vision. And no, we didn’t censure any of Brian’s slides ;-)
Jerome
Thursday, April 29, 2010
Staying under the radar
The following article by the Register caught my attention: "NHS computers hit by voracious, data-stealing worm"
The interesting thing is that Qakbot is a known malware, well-documented by Symantec. Therefore, COTS Anti-Virus product should catch it, right?
As described on the Register, Qakbot spreads through Web pages that install malware by exploiting patched vulnerabilities in Microsoft’s Internet Explorer and Apple’s QuickTime software. It is able to self-propagate on local networks through file shares. It "moves slowly and with caution, trying not to bring attention to its presence" it is staying under the radar!
For some reason, the National Health Service (NHS) network was hit by a malware which has been known since May 2009… Could it be another sign that COTS cyber security products can be circumvented by advanced malware?
For me, this is just another confirmation that COTS security must be complemented by additional layers of custom-built cyber defense.
Jerome
The interesting thing is that Qakbot is a known malware, well-documented by Symantec. Therefore, COTS Anti-Virus product should catch it, right?
As described on the Register, Qakbot spreads through Web pages that install malware by exploiting patched vulnerabilities in Microsoft’s Internet Explorer and Apple’s QuickTime software. It is able to self-propagate on local networks through file shares. It "moves slowly and with caution, trying not to bring attention to its presence" it is staying under the radar!
For some reason, the National Health Service (NHS) network was hit by a malware which has been known since May 2009… Could it be another sign that COTS cyber security products can be circumvented by advanced malware?
For me, this is just another confirmation that COTS security must be complemented by additional layers of custom-built cyber defense.
Jerome
Sunday, April 18, 2010
Qosmos and Tilera: when 2 leaders join forces, developers win
Qosmos has been working with processor specialist Tilera for some time. Our engineers had already optimized the way Qosmos DPI and Network Intelligence Technology is implemented on the Tilera TilePro.
Today we have gone a step further: we have designed a new DPI and network intelligence card (called ixBoard) based on the Tilera TILExpress-20G.
Why?
- 100% x86 CPU cycles are now available for the customer application, since all protocol decoding is offloaded on ixBoard
- Customer can continue to develop applications under x86 while keeping the full benefits of the Tilera 10Gbps card
As an additional benefit, ixBoard also facilitates the work for product designers who are neither experts in multi-core architecture nor in DPI. They are free to do what they do best: develop complete solutions.
We use the 64 cores of the Tilera card to optimize performance and parse traffic in real time. Packets, content and metadata are extracted through the PCIe bus, and streamed as raw data to the buffer. This means that the host can use the data in any way and format. Application developers can remain in their familiar Intel/x86 environments, and the extraction and delivery of traffic data (at 10 Gbps) is transparent for them.
Today, most application developers come from the software world. They are not always familiar in network infrastructure (protocols and packets), they just need traffic metadata and events. Typically, it would take considerable time and energy for them to learn how to develop on multi-core processing, and also to develop the network analysis features needed.
Our initial customer feedback on the offload card is very positive, and the combination of two domain of expertise (Qosmos for DPI + Tilera for multi-core processing) save them a lot of time, and money, and headaches!
Jerome
Tuesday, March 30, 2010
Is Qosmos right for you?
Sometimes people ask me: “how do I know if Qosmos products are right for me”?
So here are some simple questions to help you decide.
Question 1: Do you need detailed visibility of all network-based activity?
Question 2: Do you prefer to source DPI and network intelligence externally?
Jerome
So here are some simple questions to help you decide.
Question 1: Do you need detailed visibility of all network-based activity?
- Beyond traffic classification > also traffic metadata?
- Do you require absolutely accurate information?
- At multi-Gbps speeds?
Question 2: Do you prefer to source DPI and network intelligence externally?
- Want to focus internal developers on building complete solutions?
- Looking for pre-developed building-blocks?
- Need to shorten product development times and accelerate time-to-market?
- Want somebody else to keep up with constantly evolving Web applications and protocols?
Jerome
Thursday, January 28, 2010
Cap My iPhone? Try This Instead, Mobile QoS Vendors
You have probably read about AT&T’s problems dealing with the perpetually clogged 3G networks in San Francisco and New York:
http://www.wired.com/epicenter/2009/12/iphone-caps/. To solve the problem, AT&T is considering one or all of the following: 1) convincing heavy iPhone users to stop using so much data (despite paying for unlimited plans), 2) introducing caps on data usage, 3) stop selling iPhones, 4) investing heavily in the network, 5) shut down streaming of live baseball games…
How can Qosmos Network Intelligence Technology help?
First, we can help mobile service assurance and QoS vendors. Not all solutions are not designed to support the huge throughputs generated by unlimited wireless data plans, which means that KPIs can no longer be computed on the entire traffic (as in the past). Instead, service assurance vendors must now select a panel of mobile users and analyze a representative sample to deduce QoS. They can use Qosmos probes to analyze only a portion of the traffic on mobile users IDs (IMSIs) and create a panel of representative users. For video, they don’t need to keep any of the content, but just identify that it is video traffic. The filtered traffic is then forwarded at bandwidths which are manageable for existing solutions. This means that mobile QoS vendors benefit from instant scalability and can remain operational even if traffic throughputs increase dramatically. In this case, AT&T can better optimize subscriber experience and iPhone users are happier!
Second, we can help suppliers of network optimization solutions. They can use Qosmos ixEngine to get full visibility of iPhone traffic and applications. This allows them to work with AT&T to optimize networks, prioritize applications and make many iPhone users happier. Bandwidth could be allocated in a more fair manner, so that heavy users don’t hog all the resources, and AT&T can optimize their investments in 3G network equipment.
Conclusion: you don’t need to cap my iPhone!
Jerome
http://www.wired.com/epicenter/2009/12/iphone-caps/. To solve the problem, AT&T is considering one or all of the following: 1) convincing heavy iPhone users to stop using so much data (despite paying for unlimited plans), 2) introducing caps on data usage, 3) stop selling iPhones, 4) investing heavily in the network, 5) shut down streaming of live baseball games…
How can Qosmos Network Intelligence Technology help?
First, we can help mobile service assurance and QoS vendors. Not all solutions are not designed to support the huge throughputs generated by unlimited wireless data plans, which means that KPIs can no longer be computed on the entire traffic (as in the past). Instead, service assurance vendors must now select a panel of mobile users and analyze a representative sample to deduce QoS. They can use Qosmos probes to analyze only a portion of the traffic on mobile users IDs (IMSIs) and create a panel of representative users. For video, they don’t need to keep any of the content, but just identify that it is video traffic. The filtered traffic is then forwarded at bandwidths which are manageable for existing solutions. This means that mobile QoS vendors benefit from instant scalability and can remain operational even if traffic throughputs increase dramatically. In this case, AT&T can better optimize subscriber experience and iPhone users are happier!
Second, we can help suppliers of network optimization solutions. They can use Qosmos ixEngine to get full visibility of iPhone traffic and applications. This allows them to work with AT&T to optimize networks, prioritize applications and make many iPhone users happier. Bandwidth could be allocated in a more fair manner, so that heavy users don’t hog all the resources, and AT&T can optimize their investments in 3G network equipment.
Conclusion: you don’t need to cap my iPhone!
Jerome
Thursday, January 21, 2010
Could you have used Qosmos to detect the Operation Aurora cyber attack?
The short answer is: yes!
Let me explain.
A lot has been written about Operation Aurora, so as a reminder, let me just point you to the summary posted on Wikipedia: “Operation Aurora was a cyber attack, conducted in mid-December 2009 and originating in China, against Google and more than 20 other companies, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical”
How to protect sensitive assets against cyber threats
Governments and companies who have sensitive assets all use commercial off-the-shelf (COTS) solutions such as for anti-virus, anti-spyware, and intrusion detection systems. These systems provide effective protection against known vulnerabilities, but are not so good at protecting against new, unknown threats: so-called zero-day attacks. And Operation Aurora is a perfect illustration of this.
My experience shows that organizations who need advanced cyber protection must use two layers of defense:
- The first layer is built by COTS products and its main purpose is to filter out known threats
- The second layer of defense is a custom-built solution, developed by trusted cyber security teams to identify advanced, Aurora-type of threats. Qosmos technology plays a key role by feeding this solution with full visibility over network traffic.
How Qosmos technology could have been used to detect and mitigate Aurora
On the McAfee Labs Blog, I found a good description of the custom backdoor protocol used during Operation Aurora. Technically, the principle of the attack was simple: 1) a malware was installed on a PC by a Trojan exploiting a vulnerability in Internet Explorer, and 2) a covert connection was made on port 443 using a custom encrypted protocol, instead of the standard the HTTPS protocol encrypted with SSL.
In this case, a custom development based on Qosmos could have detected that abnormal traffic was flowing through port 443 and the system could have instructed to block the traffic, which would have stopped the attack.
Jerome
Let me explain.
A lot has been written about Operation Aurora, so as a reminder, let me just point you to the summary posted on Wikipedia: “Operation Aurora was a cyber attack, conducted in mid-December 2009 and originating in China, against Google and more than 20 other companies, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical”
How to protect sensitive assets against cyber threats
Governments and companies who have sensitive assets all use commercial off-the-shelf (COTS) solutions such as for anti-virus, anti-spyware, and intrusion detection systems. These systems provide effective protection against known vulnerabilities, but are not so good at protecting against new, unknown threats: so-called zero-day attacks. And Operation Aurora is a perfect illustration of this.
My experience shows that organizations who need advanced cyber protection must use two layers of defense:
- The first layer is built by COTS products and its main purpose is to filter out known threats
- The second layer of defense is a custom-built solution, developed by trusted cyber security teams to identify advanced, Aurora-type of threats. Qosmos technology plays a key role by feeding this solution with full visibility over network traffic.
How Qosmos technology could have been used to detect and mitigate Aurora
On the McAfee Labs Blog, I found a good description of the custom backdoor protocol used during Operation Aurora. Technically, the principle of the attack was simple: 1) a malware was installed on a PC by a Trojan exploiting a vulnerability in Internet Explorer, and 2) a covert connection was made on port 443 using a custom encrypted protocol, instead of the standard the HTTPS protocol encrypted with SSL.
In this case, a custom development based on Qosmos could have detected that abnormal traffic was flowing through port 443 and the system could have instructed to block the traffic, which would have stopped the attack.
Jerome
Thursday, December 17, 2009
Similarities between Network Intelligence Technology and a relational database system
Network Intelligence Technology aims at providing full visibility on traffic flows; it is in many aspects very similar to a relational database system which allows users to query large sets of data generated and computed by information systems. Similarities between these technologies are not limited to the technical aspect, they also follow the same business trends, but 30 years apart!
Back in the 60s, a database was specifically designed for each application because it was such a complex and cutting edge technology that only specific systems could afford it. This complexity limited the implementations to large systems including specific hardware to support the database. Databases were reserved for very large organizations.
In the 70s, the INGRES project introduced major technical enhancements such as the relational database, which made data more actionable. This project was the foundation of the first commercial products such as Sybase and Informix which enabled developers to build systems using standard database building blocks including a DBMS engine and a query language. With the availability of COTS database technology, software vendors could create applications for any type of business requirement and not only for very large organizations. SMBs could use financial systems to track their sales, the local library could use a database system to manage its book portfolio. Today, thousands of applications benefit from these database building blocks, and even very large systems such as ERPs are designed with standard COTS database products such as Oracle. Using a COTS database is more rational from a cost point of view and also reduces the time to market. Today any software vendor building an application will choose a COTS database and will not even think of redeveloping its own BD system like in the 70s.
I see the EXACT same trend with Network Intelligence Technology. The first implementations mainly focused around Deep Packet Inspections (DPI) took place in routers and in specific appliances using custom hardware. Applications where limited to very specific tasks such as P2P blocking and every vendor would develop its own “in house” network flow analysis.
But the complexity of IP networks with a growing number of applications and protocols makes it very complex to get a 360° visibility over network traffic, which confines applications to very high-end solutions and technically advanced systems usually managed by network administrators. On the other hand, solution vendors in the business of billing network usage, optimizing networks or marketing network services have a growing need to understand more in detail the behavior of network and do not always have the skills to develop in-house network intelligence. The emergence of specialized vendors of network intelligence technology, whose mission is to provide building blocks for solution vendors and network equipment providers, can be compared to the emergence of the COTS database companies. Providing ready-to-use network intelligence components which can feed applications allows any developer to use the gigantic amount of information computed by or travelling over an IP network.
Network Intelligence Technology is a fast moving market with new protocols appearing and being updated frequently. Many solution vendors and network equipment manufacturers realize that their core business is not to focus on protocol technology. Instead of developing DPI or network intelligence in house, they can now source it from a Network Intelligence Technology specialist, and benefit from deep expertise, in the same was as they would select a commercial database product :-).
Jerome
Back in the 60s, a database was specifically designed for each application because it was such a complex and cutting edge technology that only specific systems could afford it. This complexity limited the implementations to large systems including specific hardware to support the database. Databases were reserved for very large organizations.
In the 70s, the INGRES project introduced major technical enhancements such as the relational database, which made data more actionable. This project was the foundation of the first commercial products such as Sybase and Informix which enabled developers to build systems using standard database building blocks including a DBMS engine and a query language. With the availability of COTS database technology, software vendors could create applications for any type of business requirement and not only for very large organizations. SMBs could use financial systems to track their sales, the local library could use a database system to manage its book portfolio. Today, thousands of applications benefit from these database building blocks, and even very large systems such as ERPs are designed with standard COTS database products such as Oracle. Using a COTS database is more rational from a cost point of view and also reduces the time to market. Today any software vendor building an application will choose a COTS database and will not even think of redeveloping its own BD system like in the 70s.
I see the EXACT same trend with Network Intelligence Technology. The first implementations mainly focused around Deep Packet Inspections (DPI) took place in routers and in specific appliances using custom hardware. Applications where limited to very specific tasks such as P2P blocking and every vendor would develop its own “in house” network flow analysis.
But the complexity of IP networks with a growing number of applications and protocols makes it very complex to get a 360° visibility over network traffic, which confines applications to very high-end solutions and technically advanced systems usually managed by network administrators. On the other hand, solution vendors in the business of billing network usage, optimizing networks or marketing network services have a growing need to understand more in detail the behavior of network and do not always have the skills to develop in-house network intelligence. The emergence of specialized vendors of network intelligence technology, whose mission is to provide building blocks for solution vendors and network equipment providers, can be compared to the emergence of the COTS database companies. Providing ready-to-use network intelligence components which can feed applications allows any developer to use the gigantic amount of information computed by or travelling over an IP network.
Network Intelligence Technology is a fast moving market with new protocols appearing and being updated frequently. Many solution vendors and network equipment manufacturers realize that their core business is not to focus on protocol technology. Instead of developing DPI or network intelligence in house, they can now source it from a Network Intelligence Technology specialist, and benefit from deep expertise, in the same was as they would select a commercial database product :-).
Jerome
Posts
