NAI intros net forensics investigation tool

Thwarting security breaches and warding off attacks comes with the territory of network management, and on Monday Network Associates Inc. (NAI) announced a new weapon to be launched into the market later this year.

Dubbed the InfiniStream Security Forensics Solution, the company says the offering could be a valuable ally in the war against viruses, hackers, and downtime.

Released by its Sniffer Technologies Unit, the solution is a compilation of hardware and software that can help enterprise users delve deep into the roots of security events through the capture, storage and reconstruction of network traffic.

“They can drill down, see the who, what, when, where and how, and then go use that to put in place whatever measures, major or minor, [that are] needed to make sure it doesn’t happen again,” said Eric Hemmendinger, research director, security and privacy at the Boston-based Aberdeen Group.

Part of the offering is the Capture Engine, a hardware appliance that runs on a stripped- down Linux-based operating system, and can index and capture about 2.9TB of traffic at gigabit speeds. Users also have the option of employing a redundant array of independent disk (RAID)-5 storage, but it would only be able to store about 2.1TB of data.

This equals about two and a half days of network traffic on a full duplex gigabit network with five per cent utilization, according to the Christopher Thompson, vice-president of marketing at NAI. Being able to store this much data is important, Thompson said, because network and security managers would be able to deconstruct security events that happened over a weekend or a holiday. Also, this would allow users to examine security events the first time they occur, as opposed to waiting for the second, or even third time.

Courtesy of NAI’s InfiniStream Reconstruction/Replay software functionality, which Hemmendinger described as “unique,” Web files, file transfer protocol (FTP) files, e-mails, Internet relay chat (IRC) sessions, and voice-over-IP (VoIP) conversations can all be reviewed through one mouse click.

Enabling the activities of the Reconstruction/Replay software is the Mining Console. Equipped with the filters that allow users to narrow searches for network traffic by any combinations of time, IP address or port number, it also serves as the main user interface. In addition, data retrieval can take place at multiple consoles simultaneously without disrupting the Capture Engine’s performance.

In addition, InfiniStream can also be used in conjunction with the Sniffer Distributed Devices – they monitor network traffic and provide alerts if something goes awry. In fact, files that detail information about intrusions, such as viruses, can be imported and exported from InfiniStream to the Distributed Devices. That means, the Distributed Devices would start monitoring for those events.

Examples of applications by InfiniStream include could be the reconstruction of a virus that was transmitted via e-mail, or the reconstruction an employee’s Web browsing session to determine if the employee violated company code. As an example, it might help to determine if an employee intentionally or unintentionally visited forbidden Web sites, such as those with pornographic content.

Hemmendinger said while NAI has traditionally operated as different businesses – Sniffer Technologies, MacAfee Security and Magic Solutions – what is being presented now is a marriage of functionality between Sniffer and MacAfee.

Whereas Sniffer has traditionally provided network-focused solutions for network operators – that is, tools to help understand what’s happening on the network – MacAfee has been about providing solutions to help shield the company from downtime and potential loss, such as antivirus. Also MacAfee’s solutions have been primarily geared towards the server, desktop and notebook, Hemmendinger said.

“Now Sniffer is going to cover the network on an ongoing basis but also with a better way of connecting into the server platform and the desktop platform, as well as understanding the security venue,” he explained.

Indeed, Thompson said it is the first time Sniffer and MacAfee teams are working together and said this is only the beginning of what he called NAI’s Network Defense Strategy. He added that more products would be released to market soon.

“[This is] a product that crosses the gap between the security manager and the network manager,” he said, adding that some of the mining and deconstruction functionalities derived from technology from a company called Traxess that NAI acquired last October.

While a select number of the Santa Clara, Calif.-based Network Associates’ customers are being introduced to the InfiniStream Security Forensics Solution, it will be generally available in the third-quarter of 2003.

Pricing starts at US$85,000 for one Capture Engine and two software applications.

For more information, visit