Exclusive: Traveling through network time
Network Associates taps historical data for network analysis, forensicsFollow @infoworld
Every network manager should be concerned with reducing the risks of security breaches and network failure. The trouble is both kinds of problems can be difficult to diagnose. The evidence you need to solve them often occurs over the course of days or weeks, and traditional network analysis tools, which are typically designed to show you what’s happening in real time, provide a much narrower window on events.
Two appliances from Network Associates aim to fill in the gap by combining one of the company’s old standbys, the Sniffer network analysis tool, with the ability to capture and store terabytes of network traffic. InfiniStream Network Management, a new product, allows you to mine historical, packet-level data to solve network problems. InfiniStream Security Forensics, released last July, brings historical data to bear in the investigation of security issues and network misuse. In taking a historical approach to network and security analysis, these solutions compete with similar appliances from Niksun.
Both InfiniStream appliances serve up extensive and accurate network data via easy-to-use management consoles. Security Forensics data can be imported into Network Management and other Sniffer consoles for more extensive analysis, and vice versa. Except for a couple of minor hiccups, both solutions performed exceptionally well in my tests.
Mining Network Data
InfiniStream Network Management comes in either a 2U (i410) or 4U (i1600) rack-mountable chassis. The 2U unit I tested comes with two 10/100/1000 and four 10/100 network interfaces, and four hard disks for a total of 800GB of disk space. The Security Forensics appliance comes in the 4U i1600 chassis, which sports two Gigabit Ethernet and two 10/100/1000 network interfaces, and 16 hard disks for a total of 2.9TB of storage. Both boxes have hot-swappable disk drives; the 4U units also have hot-swappable power supplies.
Depending on the amount of network traffic, the number of network ports being spanned, and the number of traffic filters, these boxes could store anywhere from a dozen hours to several months of traffic data. Once full, the drives are overwritten with newer data in a continuous loop. Unfortunately, the only way to increase the storage capacity of the Network Management appliance is by daisy-chaining boxes together; the ability to attach a NAS or SAN device would be a welcome addition. The Security Forensics software is available separately, allowing you to deploy it on your own hardware with as much storage as you like.
The Network Management console consists of four separate window components. The Capture Engine panel lists available capture engine appliances. The Filters and Options panel is useful for examining and comparing data from IP addresses, ports, and MAC addresses, allowing you to use Boolean operators to manipulate the information. The Statistics panel is used to display nitty-gritty performance metrics for parameters ranging from IP addresses to VLANS and even includes, nicely, the ability to select conversations between devices.
Last but not least, I found the Network Management console’s Graph panel extremely useful. On many occasions I’ve pulled out a Sniffer to troubleshoot a problem with an application, machine, switch, or router, trying to piece together an event that’s already happened with only current network behavior to go on. No longer. In Graph, I simply select a traffic stream and the historical time interval that I want to closely examine, and, violà, the problem is isolated.