Part of the added value our customers see when working with us is that we can proof-test all the solutions we provide and support. This is due to the expertise and experience of our Engineers, and the investments we have made in our Cyberlab.

Vendors like working with us for many reasons, one of which is that we test their new solutions and provide valuable input and feedback to improve functionality, usability and value before they are launched to market.

The test network in our Cyberlab, is to all intents and purposes, a real Enterprise network, and this includes real malware lurking around, generally trying to wreak havoc and ‘talk back’ to its original source. This provides a realistic environment for customers to evaluate either a new solution, or indeed a wider and scalable security protection environment.

With Ixia ThreatARMOR working at line rate in front of our test network’s Firewall over the past few weeks, we have observed some very interesting points, namely:

  • The vast majority of attempts at hacking us have come from hijacked IP addresses, so there is no reason for us to communicate with the people/organisations at these addresses. ThreatARMOR automatically blocking them reduces our attack surface significantly, and without requiring any work or effort from us

  • Many of the attacks came from countries for which we have neither customers nor Channel Partners, such as Russia and India, so removing communication attempts with these countries will further reduce our attack surface

  • Threatarmor also measures how much traffic it has blocked from reaching the security protection environment. In our case, the Firewall and IPS have been saved from scanning/blocking 7.5Gb of traffic. This enables them to better serve their core functions.

Another point we observed is that of attempted contact (now blocked by ThreatARMOR) from WITHIN our network. These included 3,700 connections from 166 different IP addresses. This highlights the malware already on the network; in our case, malware we previously added ourselves in order to assist with testing our security solutions, but in a customer network, this represents malware getting in under the radar and potentially leaking sensitive information.

Just as importantly, why do we have attempted traffic (now blocked by Threat ARMOR) trying to communicate from within our network to countries for which we do not have any need to communicate? A couple of clicks and our network attack surface is reduced further still.

More detail of the blocked connections and attack attempts to our test network can be viewed in the summary below:

Click to enlarge

Where the report notes ‘ATI’, this means the threats were blocked automatically without us needing to stipulate any rules. The blocked connections are known to be associated with: bad, hijacked or unassigned IP addresses, Botnets, Malware and Phishing attacks; meaning they are linked to criminal activities and do not have legitimate reasons for communicating with anyone at all.

As IP addresses become known to the Application Threat Intelligence (ATI) engine as being malicious or irrelevant, they are blocked from entering your network. Similarly, in cases where dubious IP addresses become legitimate, the ATI engine automatically updates, and of course, you can also define your own white and black lists.

Calculating the ThreatARMOR ROI

These days, companies and organisations need to demonstrate a clear return on investment from any potential solution procurement under consideration. Unless the ROI is calculated by the customer in context to its own unique environment, any other suggestion of ROI is exactly that – a suggestion.

With ThreatARMOR however, the ROI can be demonstrated in many clear and precise ways, including:

  • MONEY SAVED: Delaying, and in some instances; removing the need to upgrade your existing security layers because with ThreatARMOR the appliances are now processing less data

  • TIME SAVED: No need to manually update your Firewall rules to block new bad IP addresses when they emerge, and often after they have penetrated the Firewall & IPS, plus fewer SIEM alerts saves further time and resource

  • FEWER ATTACKS: Ensuring the malware already on your network is unable to send confidential data back to the source of the original cyber-attack, as well as eliminating attacks from countries you need not communicate with.

See for yourself

ThreatARMOR is only available from Ixia’s carefully selected channel partners. In the UK, we at Phoenix Datacom have our own demo units and can demonstrate ThreatARMOR online, at your premises and in our state-of-the-art Cyberlab.

We can also place a unit in front of your Firewall in ‘Reporting Mode’ for one week to show you what it would have prevented from reaching your network had it been placed in ‘Blocking Mode’.

And in case you were wondering about any potential point of failure by placing ThreatARMOR inline, don’t worry.. ThreatARMOR has been designed to operate at wire rate with zero packet drops, consistently delivering low, predictable transit latency regardless of configuration.

In addition, ThreatARMOR can also work in automatic ‘Bypass Mode’, so in the unlikely event of a power failure, your network data can continue its journey.


Please click here for more information and to request your demonstration.


Ixia ThreatArmor
Blocking known bad IP addresses & regions

Richard Clothier, Marketing Manager, Phoenix Datacom.