Software sniffs out network glitches

Within about a month, a rogue DNS server at a government agency in Indiana put out 63 million false DNS requests, slowing the state’s main DNS server to a crawl.

Jeff Duke, senior engineer for the state of Indiana, said that if it wasn’t for the Network Associates’ Network Performance Orchestrator (nPO), this rogue server wouldn’t have been apprehended as easily. His department manages the DNS servers for about 200 separate agencies, and he accredits Network Associates’ Sniffer technologies, the umbrella that covers nPO, with the success.

nPO consists of a Manager tool and a Visualizer element. Initially called Sniffer Resource Manager and Sniffer Watch, the nPO Manager is simply a re-branding with added functionality coming in the spring of next year, while the Visualizer has already been upgraded.

Manager and Visualizer are two separate, nine-centimetre rack-mountable boxes that are targeted at customers who have over 20 boxes installed. Chris Thompson, vice-president of marketing, Sniffer Technologies in Santa Clara, Calif., said the number of Sniffer Distributed devices deployed on the network depends upon the size, speed and topology of the network.

While the Sniffer Distributed devices monitor network activity, the nPO Manager provides network managers with a means to manage the devices. Manager makes it possible for users to install software upgrades on all the Sniffer devices at once, and to access data from the Sniffer devices. Supporting industry standards NT-Domain, LDAP and RADIUS, and providing its own proprietary database, nPO Manager allows for the creation of user profiles and privileges that provide users with access to a range of network resources.

nPO Visualizer is a complementary tool to nPO Manager, Thompson said. It enables users to get consolidated reports about network performance that are actionable. The reports can be either requested, or scheduled at regular intervals.

“The very first thing that Visualizer enables a customer to do is actually group the technology in a way that is meaningful to the business,” said Thompson. “I can group the technology around an item.…I might call customer service, another one around engineering and another one around my process systems.”

Represented graphically and tabularly on a Web-based browser, and using what Thompson calls the “two clicks to anywhere,” a customer can move through the GUI in two clicks following what Thompson calls the “cookie crumb trail,” from the report to the Sniffer Distributed appliance that is reporting the troublesome data.

Duke said this is how they were able to track down the rogue DNS server. After generating a report, they were able to isolate the problems to the device that reported on the activities of the DNS Server.

Duke said it’s amazing because the Sniffer Distributed Devices actually examine every packet that goes across the network. As a user and a beta tester of the Sniffer devices, Duke said the most useful features of nPO Visualizer are the reporting capabilities – that reports can be scheduled and automatically e-mailed to pertinent individuals, the pushing out of software updates and user group administration.

Further enhancements to nPO will occur in the spring of 2003 when Network Associates will provide a new GUI for nPO Manager, with the same look and feel as that of Visualizer. Thompson also cited new capabilities that will especially help customers with very large networks. “It will enable a customer to look at a particular transaction to see how issues propagate themselves across networks,” he said. “This is a capability our customers have been requesting for some time.”

Also, a partnership with Internet Security Systems to add intrusion detection capabilities on top of the Sniffer Distributed Devices that will be reported on through nPO Visualizer and managed through nPO Manager.

Eric Hemmendinger, research director, security and privacy at the Boston-based Aberdeen Group, said that Network Associates has made great strides in this market, not only with their technology but with their marketing approach. He said they are now targeting their products to the financial people who make buying decisions, not just to the technology people who then have to convince their chief financial officers.

“If you look at where Network Associates was a year or 18 months ago, they have grown and they have gone upscale in customer base,” he said. “Nobody else has made those advances.”

Network Associates recommends that users run nPO in a Microsoft Corp. Windows-based environment. However, since the products are browser-based, Thompson said users only need Microsoft’s Internet Explorer, minimum v5.0, and it can be configured to run on other systems, even Macs.

Network Associates is based in Santa Clara, Calif. For more information visit or call 1-800-SNIFFER (764-3337).