Network Intelligence unveils log appliance

A new security appliance that collects, stores, and correlates large volumes of log information will be unveiled by Network Intelligence Inc. at this week’s InfoSecurity 2002 show in New York City.

The new device, called LogSmart, is a 2U-high (3.5 inches) rack-mountable appliance that collects security information from other network devices such as firewalls, intrusion detection systems, routers and application servers.

LogSmart can collect information from up to 3,000 separate devices and capture logged events from source devices at a rate of more than 30,000 events per second (eps), according to Network Intelligence.

The product is actually the sum of three separate, rack-mounted components: a LogSmart Collection server, database server and Envision LS server.

The Collection server receives high volumes of logs from the various network devices. That information is then compressed, encrypted and stored on one or more LogSmart database servers. The Envision LS server ties all three components together, providing an administrative interface as well as analysis, reporting and visualization tools.

Because multiple databases can be deployed on a single network, all tied back as a “single database” to the Envision LS front end, LogSmart can actually scale much higher than its 30,000 eps rating – up to hundreds of thousands of events per second, according to Matt Stevens, vice-president of technology at Network Intelligence.

By deploying so-called Remote Collectors, customers can also retrieve log information from devices in remote offices. That information is forwarded in compressed format to conserve WAN bandwidth, according to Network Intelligence.

The heart of the new technology is LogSmart’s proprietary object oriented database, which was specially designed for the purpose of storing logs, according to Stevens.

“It’s extremely fast, scaleable, robust and very efficient in its footprint,” he said.

Network Intelligence has provided SQL standard calls to get information from the LogSmart database, Stevens said.

LogSmart is the latest product from Network Intelligence, based in Walpole, Massachusetts. The company’s other hardware product, the Network Intelligence Engine HA (high availability) is an enterprise product capable of capturing log messages at rates of between 2000 and 6000 eps.

Customers using Network Intelligence’s existing Network Intelligence Engine HA appliances can upgrade those to act as LogSmart appliances or run the Network Intelligence Engine HA alongside LogSmart devices, according to Stevens.

With a price tag between US$150,000 and $300,000 for a LogSmart cluster, the product is designed for the upper end of the security hardware market – large companies and organizations with hundreds or even thousands of separate network devices that log information for network administrators to review.

The product is currently being evaluated by a number of financial institutions. LogSmart is also being used in a pilot test by a university, but no test customers were available to talk about the product, according to Network Intelligence.

The company is hoping that LogSmart’s high capture rates, ability to scale and price will attract customers from much higher priced solutions offering the same performance, according to Stevens.

But to do so, the product must also beat out a growing number of competitors in the security threat management space. Rival OpenService Inc. announced Monday an updated version of their own security management solution.

Like LogSmart, OpenService’s ThreatManager collects and correlates events from a variety of security devices. Also like LogSmart, ThreatManager has reporting features, a Web-based graphical user interface and an embedded database that enables storage of information for later review.

OpenService’s product is not sold as a separate appliance, however, and can be installed on a server running Microsoft Corp.’s Windows NT/2000, Sun Microsystems Inc. Solaris, Linux, or Hewlett Packard Co.’s HP UX operating systems.

LogSmart will be available for ordering on Dec. 12 for delivery in January, according to Network Intelligence.

Also scheduled to be available next month, OpenService’s ThreatManager will cost from $100,000 to $250,000 for an implementation including about 50 agents.

With no evaluation customers available for comment on the performance of the new products from either Network Intelligence or OpenService, however, the world will have to wait for news from early adopters in 2003 to see how well this new generation of security management technology lives up to its promise.