NetIntercept 2.0 delivers deep-data scrutiny for less
Network forensics package ambitiously analyzes, stores network trafficFollow @pvenezia
True real-time network forensics implementations are generally a rich company's game. The high-performance devices are capable of deep-packet analysis, session recreation, reporting, and auditing -- and that generally comes at a high price.
Sandstorm has taken a slightly different approach, foregoing redundancy and scalability to deliver NetIntercept 2.0 network forensics package on the NI-S95 appliance at a lower cost. The NI-S95 performs well for its size and is significantly cheaper than you might expect.
The NI-S95 analyzes data gathered from network traffic streams, mirrored at a network edge or network core. It then monitors and stores those data streams on a local disk, at which point an administrator may initiate the process of categorizing, parsing, displaying, and reporting findings gathered during analysis. The capture is protocol agnostic and will interpret every known packet type seen on the wire.
A 2U rack-mount appliance, the NI-S95 is based on FreeBSD 4.8. My test unit contained a single P4 2.0GHz processor, 512MB of RAM, and a single 120GB IDE drive. The new generation of the NI-S95 will see a CPU speed boost to 2.4GHz for the same price. Of the 120GB on the nonupgradeable local disk, 95GB is reserved for packet captures. The remainder is used for OS and database files. The NI-S95 uses a single 10/100 Ethernet interface for monitoring and another for management; it is best suited for lower-throughput networks averaging 5Mbps or less.
The single IDE drive is a liability, to be sure, but it also brings the price of the NI-S95 down below $9,000. The NI-S95 does have bigger brothers: the NI-DR300 with 300GB of RAID storage, and the NI-DRG-770 with 770GB of RAID storage. These beefier models also use IDE drives, but include features such as gigabit Ethernet network interfaces, dual CPUs, and multiple network interfaces. And for those needing more throughput, these larger models also offer more horsepower.
As for the NI-S95, initial configuration is a breeze. As soon as the monitoring interface establishes a link, it begins traffic captures, storing every packet seen on the wire. For the management interface configuration, a keyboard, mouse, and monitor are plugged in, and the NI-S95 boots to an XDM (X Display Manager) log-in.
Logging in to the NI-S95 as any valid user presents the X Windows workspace with the Fvwm95 Window Manager, for a Windows 95 look and feel. It is also possible to run the NetIntercept 2.0 UI from the console of the unit itself; and a few other tools, such as a capture interface monitor, are available as well.
Most devices billed as appliances operate with a browser-based interface, using CGI and/or Java to deliver higher functionality to the administrator. Some devices include a client component that interacts with the device through SNMP to provide the administration interface. Sandstorm, however, has taken a different route, relying on X11 to deliver the interface. For those with Unix-derivative workstations, this isn’t a big deal. But those who would rather administer the NI-S95 from Windows will need a third-party package to provide an X server on their desktop. As an aside, X11 views clients and servers inversely, so in this case, the NI-S95 is the client and the administrator’s desktop is the server.
The application is written in TrollTech’s Qt, providing a functional and responsive -- if not altogether aesthetically pleasing -- interface. The responsiveness of the interface is directly related to the network connection of the client, however, and X11 sessions across low-bandwidth links are painful to work with.