A time machine for your network

Network Instruments' GigaStor appliance combines complete traffic capture, deep analysis, and even session playback, making an effective if expensive tool for solving network performance and security problems

When it comes time to dissect a network problem, whether the problem is related to security or performance, a deep look into all the network activity surrounding the incident can be critical to resolving the issue. An intrusion detection system, with its rules for capturing problematic network events, can be of some help, but for real problem diagnosis or forensics, you need more. Network Instruments' GigaStor is designed to meet that need with full traffic capture that extends backward to hours or days. This "keep it all" capability makes the GigaStor a valuable addition to any network for which high performance, security, or regulatory compliance are critical issues. When you need to investigate a network slowdown, a security breach, or anything else that happened on your network, if you know when it happened, then GigaStor can take you there.

Click for larger view.

GigaStor is, essentially, a large box of great storage capacity (from 4TB to 48TB) with high-speed network interfaces on the outside and the capability to rapidly move data between NIC and disk within. I tested a "small" version of the GigaStor, with 8TB of storage, four Gigabit Interface Converters, and three 10/100/1000Base-T interfaces, and the IO necessary to reach the device, all packaged in a 6U box. All the hardware would be much less useful without software to analyze the data gathered, and Network Instruments does not disappoint: GigaStor includes the company's Observer software (version 12 in this case), which serves as your window into the GigaStor's stored information. In addition to providing analysis from GigaStor, Observer can gather data from multiple GigaStor appliances and perform correlated analysis across all the instances. Network Instruments recommended that we run Observer on a Windows XP or Windows Server 2003 system, with a minimum 2GHz processor and at least 2GB RAM. Our test platform met or exceeded all the recommended specifications. 

Interestingly, Observer isn't the only piece of the GigaStor solution that runs on Windows. Whereas most network and security appliances use Linux as the embedded OS, the GigaStor sits on Windows XP 64. When I asked why Network Instruments chose Windows XP 64 as the platform, I was told that it had to do with their developers' experience -- an absolutely valid reason for reaching a decision. In our testing, we had no issues with the device, no concerns about performance, and no problems with the operating system. I give you this information because it's unusual -- not because it was a problem.

The roughest part of installing the GigaStor was picking up the box to install in the rack. After the hard disks were installed in the chassis and various cables plugged in, I moved straight to software setup. I began by discovering the network devices. For the GigaStor system this is a passive activity performed by listening to network traffic, not scanning ports. This is a good thing if you aren't the Tripwire jockey for your network. After I built an accurate description of our test network, I began to set up filters for the activities and the criteria I wanted to set for alarms. The Observer software allows you to include or exclude traffic based on packet type, addresses, address pairs, traffic level, behavioral rules, and most other factors that can reasonably be considered for this kind of task.

Remember that time at 23:49?

Click for larger view.

The real power of GigaStor emerges when you begin examining the packets you've captured using some of the embedded analysis and replay tools. The analysis takes place in an Observer main window, using a straightforward tabbed interface. In the control panel tab, you get a graphical display of network activity (a rough activity level line graph) with a timeline across the top. You can click on a range of time (from hours down to milliseconds) and run the expert analysis tool on the network traffic. Here you get a detailed breakdown of the traffic contents and you can reconstruct and replay contents, including VoIP calls, certain streaming media types, Web sessions, and instant messaging, allowing you to listen to phone calls and streamed audio and view Web pages and video just as the user heard and saw them. There are some limitations to the playback capabilities, but they're common-sense restrictions. Observer won't, for example, decode SSL tunnels unless you provide the key. 

The expert analysis and session playback are the strongest pieces of GigaStor's forensic and analytical toolbox. With the tools, you can not only see the names and traffic types within packets flowing across the network, you can look inside files that have been transferred and data streams transmitted to see whether the contents are as harmless as the name implies. At this point, a caveat is in order: Although the Observer tools are quite easy to use, they assume that the user is a data security professional. A neophyte parked in front of an Observer window will face a nearly vertical learning curve before becoming proficient in data security. If, on the other hand, you put GigaStor in the hands of competent professionals, they will be able to glean useful information from the Observer interface almost immediately.

Filtering activity

Click for larger view.

Once you identify the traffic within the capture that interests you, you can become more proactive in gathering additional information. You may set up more targeted filtering, establish traffic capture based on addresses or behavioral rules, set flags, or incrementally move through the conversation packet by packet (if you managed to miss the beginning, end, or exciting climax of the transaction). In the most basic terms, if you know when an incident happened, GigaStor gives you the tools to figure out what the entire incident consisted of. 

The tabbed interface is very easy to use, allowing you to stroll through the various capture or gross analysis functions, and then walk the specific tasks within each of those. At each level you can get a great deal of information from the large and small preset tabs. The forensic analysis tab within the Decode and Analysis (Expert Analysis) group uses a preset filtering and behavioral rule set, but you can also upload Snort rules into the tool, change alert settings, and edit specific rules using a built-in editor to fine tune the forensics to your own needs.

The same powerful combination of preset rules and rule-editing capabilities runs throughout the Network Observer's interface. It's a powerful combination of features that lets an admin get started quickly yet still gives the ability to fine tune and customize as time goes on.

Analysis with Observer

Forensics and compliance aren't the only tasks that GigaStor can support. For network engineers more concerned with performance than security, the Observer's Trending Analysis can be quite useful. It's relatively simple to define network, IP address, VLAN, and application traffic to display and analyze across broad trend lines. Once basic network parameters are established, you set a time interval for GigaStor to sample and use to establish the basis for the trend. After the baseline is established, GigaStor resamples at intervals you set to compare against the baseline and show changes.

An appliance that can provide information for both network engineers and security professionals while saving complete network traffic data for as long as a year can be tremendously valuable for performance monitoring, network forensics, and compliance assurance. The multiple uses are a good thing because this won't be the cheapest network appliance you buy. It may, on the other hand, be one of the most cost-effective if it lets you successfully solve even one significant security event. The Observer application won't replace network security training, but like any good tool, it will amplify the impact of your trained staff's knowledge, and that could help them stay a crucial half-step ahead of the bad guys.

InfoWorld Scorecard
Scalability (20.0%)
Value (10.0%)
Ease of use (15.0%)
Performance (20.0%)
Manageability (15.0%)
Analysis tools (20.0%)
Overall Score (100%)
Network Instruments GigaStor 9.0 8.0 9.0 9.0 8.0 8.0 8.6