Henry Dalziel | Pentesting Tools | February 13, 2017
In this blog post we interview Brian Parsons, an inventor/ entrepreneur living in Wellington, New Zealand. Brian is the CEO and Founder of TFE (Telecoms Forensics Equipment Ltd) which “builds things to meet the regulatory and legislative compliance of targeted electronic communications, intelligence, and things of particular interest.”
With our interest and fascinating in penetration, networking, firewalls and digital forensic tools we were keen to contact Brian to ask him about his latest and greatest project titled: CAT, which is an abbreviation for “Cyber Attack Terminator”.
About the CAT: Cyber Attack Terminator CAT is a high-speed IPS Appliance removing all exploited services and application traffic in realtime. CAT detects and drops Malware, Viruses, Bot-nets, DDoS, MySQL injection and other malicious code variants. In addition all IPs are checked against a global IP blacklist. In summary, and before we dive into the interview, here’s an overview of the main features of this awesome cybersecurity monitoring device:
1. Can you tell us a little about your past experience and what led you to create CAT?
My company TFE (12+ years now) began building tactical Law Enforcement probes for deployment in Carrier Networks. These units basically effect the communications warrants under legislation for carrier compliance to effect a prosecution. The key thing was we were able to intercept and process in realtime all ot of funky stuff not done on the network elements, not technically available or in some cases do-able so put in the too hard basket – thats us, – what we do. And we’ve had the privilege of working with some of the finest and experienced folks in the world.
We come from the Telco/National world where things are at a different scale, monitoring in IP link in a data center is one thing doing it over a city or country is another thing entirely. And this means being lightning quicker than anything in the civilian market, so we have the pedigree to apply our trade to this sort of work. Yes its a different job but with the same parametric issues we face in Telco. In our favour as well is our experience working end-to-end with protocols and transactions in preempting certain key events and things of interest.
Anyone who’s tried capturing realtime traffic on a 40G pipe isn’t easy, but we not just capture process every packet too, not many vendors on the planet can say they process
above layer 3 at 64B line rate. And your readers I challenge to ask there Vendors for linerate tests at mixed payload, most can only sustain 60% at 64B for a few seconds, we can do it all day from GE to 112+ Gbps, – all day!.
2. Why did you create the CAT?
One reason I designed CAT was to be able too airgap or disconnect the Internet physically without unplugging the cable. Sometimes in our LAB we use the Internet and when we don’t we want a airgap. Because we control the electronics electrical/optical transceivers directly we can disconnect the port physically (airgap), infact we can control both TX and RX separately. CAT (any of our systems) gives us piece of mind that no trick exploit is gonna bite us when where not watching. Another reason is, not all of us are cyber security experts, and I wanted a fool proof cyber security system that doesn’t need any configuration that you can just turn on and walk away. Family and friends were a main driver to build the CAT they aren’t technical to do analysis or post event preventative work in fact they don’t even know how too log into their home router, but they want too be safe all the same. They basically just wanted something to can plug in and be safe, they don’t care about alerts or warnings they just want the hacker gone.
3. Would you describe CAT as an IDS?
No, CAT is a two port IPS that hunts and removes VERMIN ‘exploited services and applications’ from the wire, on either port. Malware, Viruses, Bot-nets, DDoS, MySQL injection and other malicious code variants have their sessions blocked immediately. Some short retransmissions may occur which we also filter preventing attack packets getting to the Home Router. CAT also checks all IPs against a global IP-Reputation blacklist Breaking the attackers TCP/IP communications sanitises your connection and free up your precious bandwidth and resources they use up.
4. Is CAT placed on Switches?
No CAT is a physical unit the size of a small modem that provides transparent two port forwarding, its transparent in the sense the network doesn’t know its there it doesn’t write to any payload only correlates against attack rules. Our architecture is based on our LI probe technology optimized for data thru-put, we also implement our own high speed real-time micro kernel thats tuned for media and event based processing. This means all event processing is hard realtime deterministic, you cant afford to muck about when the kids are watching NETFLIX, but seriously if you ask anyone building this type of kit, there’s always a compromise between security functions and performance/thruput, not so with the CAT.
5. And finally, how would you compare CAT to SNORT?
The CAT is an Appliance that doesn’t require any configuration for a start. SNORT and others are SW for a different purpose. CAT is built to work out-of-the box and run as soon as you power-on.
We have a built in GUI design with the CAT to monitor the attacks in realtime. Basically CAT isn’t for use by experts like SNORT or SURICATA, its for normal non-technical folk that haven’t or don’t know how to configure their home router or firewall in fact 99% of home routers/fews are rubbish anyway and you should have an external unit. CAT is simple in function and purpose we don’t need the various logging options, or bloatware buggy add on dependencies, which makes it lightning in processing. Another thing is we are fully loaded for UMTS/LTE Rel 8/Rel 9/Rel 10 and Rel13 LTE Advanced Pro 3GPP standards LTE-A/5G – IoT/NB-IoT mmW etc. where chatty devices are embedding native NB signalling/payload.
6. How much does CAT cost?
For residential where looking a RR Home ~ $150 US. Commercial/Telco depends on line speeds and different CPUs so were still working on scoping materials.
Thank you for Brian for agreeing to be interviewed