How it works / Connection Diagram
A SPA system consists of two main componets that can be installed on same or different machines, the SPA Engine and the SPA Management/ Collector .
The SPA Engine (Layer 2 appliance) can connect to any network segment and does not require any network changes. It needs at minimum 3 network cards, 2 in bridge mode (layer 2 ) and 1 for communication with the SPA Management server. For better protection is recommended to install SPA Engine (appliance) in front of your router as shown in the diagram.
The SPA Engine supports ANY data packets to pass through, has no IP address hence is invisible from internet and hackers. Our unique, state of the art engine, is fully functioning in layer 2 (bridge mode) for packet analysis and dynamic blocking.
The SPA engine operates by analyzing the data streams and in line with the configuration parameters provided by the administrator it creates a ‘dynamic policy’ based on the network traffic and network behavior. That results to dynamic ‘memory resident’ rules saved in the kernel space.
This results in policies that will not block any normal activity, but provide the ability to detect anomalies in protocols and hence detect hacker activity trying to penetrate a network . All blocking mechanisms are applied in real time and expiration flags can be defined.
The initial state of a SPA engine does NOT contain any blocking rules. By default all traffic is allowed to pass through. A minimum of 2 hours is required in order for the engine to analyze enough traffic and start creating a dynamic policy.
The SPA Management/Collector acts as an ‘analyzer’ and a ‘correlation engine’. Its main purpose is to analyze information and provide input to the SPA Engine to improve its policy and operation by processing the raw data provided by the engine and apply analysis techniques to define a proper short and long term reaction / action to the specific attack. It also functions as a monitoring and administration service for the operation of the SPA Engine via a web interface.
In addition to the SPA Engine, the SPA Collector can be integrated with various external security systems (i.e firewalls, ids etc) and receive security related logs in standard syslog format. Incoming logs are saved in a database, get analyzed using various parsers (Checkpoint, Snort,mod_security waf etc),correlated using 'spro' correlation engine and provide additional input to the SPA Engine.
On enterprise enviroments with multiple Internet gateways you can use one SPA Management to configure and monitor more than one SPA Engines.