As an example, we probed Server Message Block ports on each server, an action that correctly triggered signature messages of several attack types. Additionally, we had one server pound the DNS ports of another hosted server to trigger the identification of a User Datagram Protocol (UDP) flood attack.

It's also possible to set custom policies, and the one we found most interesting was an alert-and-deny policy for packet flooding that fits the profile of a denial-of-service (DoS) attack. SYN, Fragment, UDP, TCP and Internet Control Messaging Protocol flooding can be detected and automatically denied and/or otherwise spawn a high concern alert. Alas, distributed DoS attacks (we tried could not be filtered (we used more than 10,000 unique IP addresses in our attack)).

Each host can then be tuned for a detection-sensitivity level (corresponding to the number of packets flooded) before the filter turns on for each packet type. You can select a single host or a 24 IP address range of VM hosts to be protected in this way. We tried to turn sensitivity to its highest level for our distributed DoS attack but RCC failed to keep up with the floods, in this, our most dastardly of attacks. RCC simply started to halt traffic, slowing packets flowing through the RCC link between the virtual network card in the VMware host, and its targeted/attacked server, until the attack was over.

The rules set can also be modified by protocol type using RCC's ProtoEval tool. Like the flood evaluation, RCC looks at packets for conformity, allowing either alerts or automatic filters to be applied when it 'sees' malformed packets. Administrators can also define RCC topology constraints, meaning the ability for RCC to include/exclude traffic from specific addresses when evaluating traffic.

RCC can send SNMP traps to a larger reporting system and e-mail alerts to designated IT staff. Administrators can rate limit the number of e-mails per alert to prevent a million repetitive messages. Anti-Virus and SpyWare detection can also be enabled, but this wasn't tested.

What we love about RCC is that it's configurable (including new attack-signature updates), has a sophisticated but rapidly discernible user interface that's easy to understand, although it does tend to lean toward listing too many alerts rather than missing one. We saw only small amounts of latency under very high traffic loads to numerous servers. As a virtual appliance, it takes up only virtual room, but it's an important consideration for any virtual network.