NetDetector captures intrusions
Niksun appliance combines complete session recording with powerful reporting and analysisFollow @pvenezia
It's not often that I bear witness to a perfect match of innovation and execution, but Niksun's NetDetector is as close as I've seen. To the casual observer, the NetDetector appears to be simply another IDS (intrusion-detection system), but it actually goes much further than that.
Rather than simply capturing the packet headers of monitored data streams, and examining them for possible attacks, the NetDetector stores every packet, from header to payload, in an indexed database. This not only permits an administrator to be notified when an attack has occurred but also to reconstruct the attack, keystroke by keystroke, packet by packet, and determine the exact commands issued by the attacker, in addition to any files or other data that was transmitted to or from the compromised system. This capability is accompanied by a truly intuitive management console, and full standards-based reporting tools. In short, the NetDetector is simply done right.
The hardware foundation of the NetDetector unit I tested is a SuperMicro SuperServer 6022L-6 with two 2.8GHz P4 processors, 2GB RAM, and six 72GB SCSI drives. The OS is tried-and-true FreeBSD with a custom kernel. The system can utilize any number of interfaces, from standard Ethernet to ATM, Packet-over-SONet (Sychronous Optical Network), and HSSI (High-Speed Serial Interface). My test unit came with three 100Mbps Ethernet interfaces. Each interface is treated as a separate entity within the configuration, allowing them to monitor completely different networks and group all captured data accordingly. In fact, all data sets represented within the management UI are considered interfaces, whether actual physical interfaces or finite data sets captured manually.
The internal storage of the unit I received is a JBOD (Just a Bunch of Disks) array, since the proprietary Stream database is file system-based. Packet captures can be stored across physical and logical partitions, and the NetDetector can be configured with FC (Fibre Channel) host bus adapters to integrate with an existing SAN environment to augment its internal storage capabilities.
For intrusion detection, the NetDetector relies on Snort, the open source IDS. Niksun has put quite a lot of work into integrating Snort into the NetDetector. As with any IDS unit, the Snort IDS engine can be enabled to monitor all traffic or a selected segment (based on filtering rules) on any given interface. Additionally, it's possible to select a specific time frame or segment and reprocess that traffic stream through the IDS engine. The NetDetector also has extensive event reporting and notification capabilities, and can send e-mail notifications and SNMP traps when an event is triggered.
From Reports to Re-enactments
The management interface is a Java-based console, accessible by Web browser. The main menu is cleanly presented and well-organized. Selecting “Start Analysis” brings you to a selection of monitoring interfaces. Once the appropriate interface is selected, an abundance of data is presented, but it's extremely simple to drill down into that data to pull out the relevant data set. Data presentation can be sorted by protocol, date, source, destination, attack, or signature type, and so on. As data is presented in a frame on the left, graphs can be plotted from that data in the main frame. These graphs are live, and selecting a time frame for closer inspection is done by dragging the mouse over the graph. As the graph detail expands, the hosts referenced by the newly drawn graphs are presented on the right, and all data related to those hosts change to match the time frame selected.