Nova Network Security Definitions and FAQs
Honeypot — Virtual machines/decoys that are designed to protect the real network assets. Each decoy includes unique network device characteristics such as the operating system, open and closed ports, and MAC addresses. The decoys also have services such as FTP, Telnet, etc. that may contain fake logins.
Haystack — A collection of honeypots. Trying to find a real machine amongst a collection of honeypots is like trying to find a needle in a haystack.
IDS (Intrusion Detection System) — A device and/or software application that monitors the network for malicious activity and then reports the breach accordingly.
Malware — malicious software intended to disrupt network and computer operation and/or for access and theft of sensitive data.
Network Reconnaissance — One key step in an attack on a computer network that attempts to gather information about the network including any vulnerabilities.
SIEM (Security Information and Event Management) — An administrative software utility that provides an interface for the review, analysis and logging of network traffic behavior and attacks. The alerts and data typically come from a variety of network devices.
Syslog — A common standard for computer message logging that are typically accessed by administrators and SIEM’s.
APT (Advanced Persistent Threats) — A skilled network attacker that often employs various malware tools and tactics in an attempt to steal valuable data.
Zero-day attack — Attacks that lack known signatures and behavioral profiles.
Q. With honeypots/Nova, how do I learn about hostile activity on my network?
A. A network attack requires some type of reconnaissance on the network to find the valuable data. In the search for real devices, the attack will scan and attempt to access the honeypots. Since the honeypots would not normally be used by anyone/anything, the activity will be classified as hostile and the administrator is then notified.
Q. How do I eliminate Nova from classifying benign behavior as hostile (false positives)?
A. If Nova incorrectly classifies behavior as hostile, the administrator can set the behavior as benign or whitelist the source (i.e. allow it to continue). Nova will learn from these updates thereby continually improving on its ability to classify network behaviors.
Q. Can Nova detect internal threats from authorized network users?
A. Yes. Insider threats often have to do some reconnaissance as part of their attack. If they are looking into any addresses/ports that make up the honeypots, their activity will trigger an alert.
Q. How can I determine the nature of the attack and from where it originates?
A. Nova provides information about the origin including the IP, last source MAC address, and reverse DNS lookup. The nature of the activity is provided in detailed tables and charts that include packet types, sizes and count summaries, IP and port connection attempts, and classification parameter results.
Q. How does Nova interact with my Network?
A. Nova has an Ethernet port (or multiple Ethernet ports) that connects to a network switch behind the firewall. Nova can automatically generate the honeypots based on the real network devices so that it appears as though there are many other machines on the network. During operation, no network traffic is added and Nova only monitors the traffic that occurs on the honeypots.
Q. Can I create my own honeypots within Nova?
A. Yes. Although Nova has the ability to simplify the process through an automated, start-up wizard, users can modify all aspects of the honeypots that Nova creates and/or create their own honeypot from scratch.
Q. Does Nova send any data or alerts outside the network?
A. All data logging and alerts are configured and accessed only by the user. No external monitoring or data transfer occurs by default.
Q. Can Nova work with my SIEM?
A. Nova can record hostile activity to a syslog that can be reviewed through a SIEM.
Q. Does Nova slow down or block any network traffic?
A. No, Nova only alerts and/or records potentially hostile traffic on the honeypots. Once alerted, the administrator can choose to block an attacker.
How Nova Works
Nova thwarts attempts by attackers to gain information about a private network by setting a large net of virtual decoys, or honeypots. The search for real machines and valuable data is like trying to find a needle in a haystack.
Nova identifies the attackers by their inevitable suspicious reconnaissance and efforts to connect through the honeypots.
Administrators are notified by email and data logs about the hostile activity and details regarding the source and behavior.
Nova Software Support and Downloads:
Nova support includes software updates, software licensing information, Nova Appliance User's Manual, software bulletins, and more.
The Nova appliance is a rack-mounted server with pre-configured Nova software. Just plug it in, follow a short start-up wizard and Nova will instantly begin to protect your vital information and detect attacks.
1 Ethernet Port
2 Ethernet Ports
8 Ethernet Ports
|Ideal for:||Small networks (20-30 nodes) with light traffic||Most Class C business networks||Up to 8 separate LANs in one location|
|Operating System:||Linux 64-bit||Linux 64-bit||Linux 64-bit|
|Processor:||Intel Dual Core 2.6 GHz, Celeron||Intel Dual Core 3 GHz||Intel Dual Core 3 GHz|
|Hard Drive:||250 GB, SATA 6 Gb/s||Dual 250 GB, SATA 6 Gb/s||Dual 250 GB, SATA 6 Gb/s|
|Memory:||1 GB SDRAM||4 GB SDRAM||4 GB SDRAM|
|Ethernet Ports:||1 Gigabit LAN Port||2 x Gigabit LAN Ports||8 x Gigabit LAN Ports|
|Dimensions:||19" x 14" x 1.7" (1U / half-depth)||19" x 14" x 1.7" (1U / half-depth)||19" x 14" x 1.7" (1U / half-depth)|
|Power Supply:||200 W||200 W||200 W High Efficiency|
|Nova Software Support and Downloads|