NAI provides network investigation tool

Thwarting security breaches and warding off attacks comes with the territory of network management, and last month Network Associates Inc. (NAI) announced a new weapon in this ongoing fight. Dubbed the InfiniStream Security Forensics Solution and set for launch later this year, the company says it could be a valuable ally in the war against viruses, hackers, and downtime.

Released by its Sniffer Technologies Unit, the solution is a compilation of hardware and software that can help enterprise users delve deep into the roots of security events through the capture, storage and reconstruction of network traffic.

“They can drill down, see the who, what, when, where and how, and then go use that to put in place whatever measures, major or minor, [that are] needed to make sure it doesn’t happen again,” said Eric Hemmendinger, research director, security and privacy at the Boston-based Aberdeen Group.

The Capture Engine is a hardware appliance that runs on a Linux-based operating system and is outfitted with redundant array of independent disks (RAID) 5 storage, that can index and capture about 2.9 terabytes of traffic at gigabit speeds. This equals about two and-a-half days of network traffic on a full-duplex gigabit network with five per cent utilization.

Courtesy of the InfiniStream Reconstruction/Replay software, which Hemmendinger described as “unique,” Web files, file transfer protocol (FTP) files, e-mails, Internet relay chat (IRC) sessions, and voice over IP (VoIP) conversations can all be reviewed through one mouse click.

This means security events can be reconstructed to determine precisely when and how they happened, who or what caused them and what was damaged. Finally, destructive payloads or security threats can be isolated for further investigation and analysis.

Enabling the activities of the Reconstruction/Replay software is the Mining Console. Equipped with the filters that allow users to narrow searches for network traffic by any combinations of time, IP address or port number, it also serves as the main user interface. In addition, data retrieval can take place at multiple consoles simultaneously without disrupting the Capture Engine’s performance.

For example, administrators could reconstruct an employee’s Web browsing session to determine if the employee violated company code, or in the case of a virus, the mining console could be used to determine when and how the virus arrived. If it arrived by e-mail, the particular e-mail message could be isolated.

Hemmendinger said while NAI has traditionally operated as different businesses – Sniffer Technologies, McAfee Security and Magic Solutions – he said what we’re seeing now is a marriage of functionality between Sniffer and McAfee.

Whereas Sniffer has traditionally provided network-focused solutions for network operators – that is, tools to help understand what’s happening on the network – McAfee has been about providing solutions to help shield the company from downtime and potential loss. Also, McAfee’s solutions have been primarily geared towards the server, desktop and notebook, Hemmendinger said.

“Now Sniffer is going to cover the network on an ongoing basis but also with a better way of connecting into the server platform and the desktop platform, as well as understanding the security venue,” he explained.

A select number of customers of the Santa Clara, Calif.-based Network Associates are being introduced to the InfiniStream Security Forensics Solution. It will be generally available in the third-quarter of 2003. Pricing starts at US$85,000 and includes one Capture Engine, five Mining Console licenses and five Application Playback or Reconstruction/Replay licenses.