Every network manager should be concerned with reducing the risks of malicious hackers and network failure, both of which can result in costly clean ups and even financial disaster. The trouble is both kinds of problems can be difficult to diagnose. The evidence you need to solve them often occurs over the course of days or weeks, and network analysis tools, which are typically designed to show you what’s happening in real time, provide a much narrower window on events.
Two appliances from Network Associates aim to fill the gap by combining one of the company’s old standbys, the Sniffer network analysis tool, with the ability to capture and store terabytes of network traffic. InfiniStream Network Management, a new product, allows you to mine historical, packet-level data to solve network problems. InfiniStream Security Forensics, released last July, brings historical data to bear in the investigation of security breaches and network misuse.
Both InfiniStream appliances focus on the mid-size to large enterprise and sport the price tag to prove it. Both serve up extensive and accurate network data via concise and easy-to-use management interfaces. Security Forensics data can be imported into the Network Management console or other Sniffer consoles for more extensive analysis. Both boxes performed exceptionally well in my tests, except for some intermittent Security Forensics console errors.
The Network Management appliance comes in either a 2U (i410) or 4U (i1600) rack-mountable chassis; the Security Forensics appliance comes in the 4U (i1600) box. The 2U Network Management unit, which I tested, comes with two 10/100/1000 network interfaces, four 10/100 interfaces, and four hard disks for a total of 800GB of disk space; the 4U unit comes with two 10/100/1000 interfaces, two Gigabit Ethernet interfaces, and 16 hard disks for a total of 2.9TB of storage. Both appliances have hot-swappable disk drives; the 4U units also have hot-swappable power supplies.
The 2U appliance was configured for testing with RAID 0 while the 4U was RAID 5 to ensure data integrity. Depending on the amount of network traffic, the number of network ports being spanned, and the number of traffic filters, the storage capacity of these boxes could be full in anywhere from a dozen hours to several months. Once full, the drives are overwritten with newer data in a continuous loop. On the Network Management appliance, historical statistics can be kept up to a week after the data buffer has been overwritten.
Unfortunately, the only way to increase the storage capacity of the Network Management appliance is by daisy-chaining boxes together, which is an expensive solution to this problem. Support for an attached NAS or SAN device would be a welcome addition. The Security Forensics product provides more flexibility in storage allocation because the software is available separately.
Mining network data
Configuring both appliances, or capture engines, was straightforward. Both include command-line utilities for initial configuration and monitoring. After connecting via terminal port on the back of the appliances, I found it easy to configure network settings and could even create an IP permit list to restrict access to these sensitive appliances.
Somewhat disappointing is that both appliances require a dedicated, Windows-based console application and are not accessible via a Web interface. Further, I discovered that both consoles could not coexist on the same machine. On the plus side, three (i410) to five (i1610) consoles can be running simultaneously and independently with no impact on the performance of the appliance’s capture engine.
The Network Management console consists of four separate window components. The Capture Engine panel lists available capture engine appliances. The Filter and Options panel is useful for filtering and comparing data from IP addresses, ports, and MAC addresses, allowing you to use Boolean operators to manipulate the information. The Statistics panel is used to display nitty-gritty selections of a variety of different statistics from IP addresses to VLANS and even includes, nicely, the ability to select conversations between devices.
Last but not least, I found the Network Management console’s Graph panel extremely useful. On many occasions I’ve pulled out a Sniffer to troubleshoot a problem with an application, machine, switch, or router, but it was always after the fact, trying to piece together an event that’s already happened. No longer. In Graph, I simply select an event in time that I want to closely examine, and, voila, the problem is isolated. The ability to select a time period to closely examine an event is invaluable.
Trending and analysis is extremely useful for troubleshooting. Whether for an informal forensics analysis or to find out where a virus might have inserted itself into the network, the ability to track a process over time is the key. The Graph panel within the console is composed of several important layers, the first being the duration of the captured data. Next is the Zoom selector, used to narrow the total data capture from days down to minutes. And finally, the Time selector allows you to further narrow the time period to a few seconds for close analysis.
The Network Management console is just the icing on the cake. Below the covers is the tried-and-true Sniffer analysis engine. Once filtering is complete on the console, pressing the Analyze button will inject the selected stream data right into Sniffer Expert Analysis, where all of the usual Sniffer tools are available, including decodes, conversation matrix, host table protocol distribution, and statistics. Little has changed in this version of the Sniffer engine over the last incarnation, except for some performance enhancements.
The only problem I ran into with the console was a slightly cryptic error after having forgotten a MAC address selection and then attempting to run an analysis on stream data.
Security on a timeline
The ability to capture every bit of network traffic and then easily replay and reconstruct the captured data has been a difficult goal for security and network personnel to reach, especially on Gigabit networks. Capturing this raw data at Gigabit line speeds and dishing it up on request is well-handled by Security Forensics. Although I was not able to test true Gigabit line speed capture in my lab, I was able to test the ability to inspect, reconstruct, and replay existing capture data on a Security Forensics appliance.
Using a console similar to the Network Management interface (actually its predecessor, Version 1.5), the Security Forensics’ Application/Playback console deals well with the aspect of management of data over time and does a very good job of viewing and reconstructing captured network sessions.
Connecting to the Security Forensics capture-engine hardware from the console initially required getting a challenge key from Network Associates. Considering the sensitive nature of the data, this seems a prudent step.
Similar to the Network Management console’s Graph panel, the Security Forensics’ Time Window Selector is, if possible, even easier to use than with the Network Management appliance. The Time Window displays the start and end dates of captured data and all I had to do was select what Time Window Length I wanted to view. I was able to filter captured data based on port number, IP address, total data size in kilobytes or packets, and then confirm my selection.
I then viewed data sessions exactly as that data was passed over the network, along with the ability to reconstruct data conversations between target IP addresses. This included data from SMTP, POP and IMAP, HTTP, FTP, IRC, and VoIP (voice over IP) applications. I did have to be careful during my scans of data conversations, because of my ability to view actual Web pages and initiate downloads of files, including all possible malicious and dangerous content contained therein.
Data reconstruction is a powerful tool and should be used with respect and appropriate security measures in place. This tool is well-suited for use by network and security personnel to conduct both network and forensic investigations of attacks and penetrations and to determine corporate policy violations from the edge of the network to the core. The appliance, while focused towards security, can also be used for generic network troubleshooting.
The only problem I ran into with the Security Forensics console during testing was a seemingly innocuous application error while scrolling rapidly through network conversations, although it didn’t seem to affect my session.
Both the Network Management and Security Forensics products from NAI provide two things: large disk storage and a simple front end to find the necessary data. Both are well-suited for their tasks and are extremely easy to use.
The ability to sit on the network and collect data in order to watch for possible network problems is extremely valuable. The Network Management appliance adds value to the already excellent Sniffer product by adding the ability to move in time and see issues as they occur. This additional dimension is an excellent idea and well-implemented.
While not as specific as other forensics tools, the Security Forensics appliance is a very easy-to-use yet powerful application. It is not designed to defend against or prevent malicious or unintentional security threats from within or without, but it can and does add another layer of protection by allowing appropriate personnel to recreate events, see exactly how they happened, and prevent them from happening again.
The network data gathered can also be invaluable if a malicious attack renders network device or server logs useless.