How it works / Connection Diagram
A Maestro system consists of two main componets that can be installed on same or different machines, the Maestro Engine and the Maestro Management/ Collector .
The Maestro Engine (Layer 2 appliance) can connect to any network segment and does not require any network changes. It needs at minimum 3 network cards, 2 in bridge mode (layer 2 ) and 1 for communication with the Maestro Management server. For better protection is recommended to install Maestro Engine (appliance) in front of your router as shown in the diagram.
The Maestro Engine supports ANY data packets to pass through, has no IP address hence is invisible from internet and hackers. Our unique, state of the art engine, is fully functioning in layer 2 (bridge mode) for packet analysis and dynamic blocking.
The Maestro engine operates by analyzing the data streams and in line with the configuration parameters provided by the administrator it creates a ‘dynamic policy’ based on the network traffic and network behavior. That results to dynamic ‘memory resident’ rules saved in the kernel space.
This results in policies that will not block any normal activity, but provide the ability to detect anomalies in protocols and hence detect hacker activity trying to penetrate a network . All blocking mechanisms are applied in real time and expiration flags can be defined.
The initial state of a Maestro engine does NOT contain any blocking rules. By default all traffic is allowed to pass through. A minimum of 2 hours is required in order for the engine to analyze enough traffic and start creating a dynamic policy.
The Maestro Management/Collector acts as an ‘analyzer’ and a ‘correlation engine’. Its main purpose is to analyze information and provide input to the Maestro Engine to improve its policy and operation by processing the raw data provided by the engine and apply analysis techniques to define a proper short and long term reaction / action to the specific attack. It also functions as a monitoring and administration service for the operation of the Maestro Engine via a web interface.
In addition to the Maestro Engine, the Maestro Collector can be integrated with various external security systems (i.e firewalls, ids etc) and receive security related logs in standard syslog format. Incoming logs are saved in a database, get analyzed using various parsers (Checkpoint, Snort,mod_security waf etc),correlated using 's-pro' correlation engine and provide additional input to the Maestro Engine.
On enterprise enviroments with multiple Internet gateways you can use one Maestro Management to configure and monitor more than one Maestro Engines.