Sourcefire's RNA provides instant visibility into your network

Sourcefire's Real-time Network Awareness Sensor 2000 is like a magic eye that watches everything happening on your network. By combining passive network analysis with a Web-based management system, Sourcefire delivers a powerful tool to IT personnel who need more information about their networks.

While RNA Sensors offer a wealth of information about the systems and services on your network, the downside is that it is up to you to make sense out of it all.

To help network managers understand the information from RNA Sensors and the alerts and events from the company's intrusion-detection systems  sensors (Intrusion Sensor), Sourcefire offers the Defense Center (if purchased collectively, Sourcefire refers to the package as its 3D Product Suite). RNA Sensors and Intrusion Sensors send information to the Defense Center, which provides a central view of alerts and events, network configuration information and forensic data.

RNA Sensors sit passively on the network and watch the traffic pass by. The RNA Sensor we tested had four Ethernet interfaces, but we used only one with virtual LAN-based monitoring to give RNA Sensor visibility into different parts of our production network. While this virtual LAN capability is a great feature for a network site, if you wanted to monitor multiple sites, you'd need to deploy multiple sensors. (See How we did it .) Configuration is simple: once you tell RNA Sensor what networks to watch, it begins collecting data and populating its databases.

As RNA Sensor watches the packets fly by, it builds a model of the network topology and pinpoints the hosts on your network, the network applications  they are running, and the users and devices they are communicating with. Because RNA Sensor watches every connection to every host, it also collects information about specific network flows, such as a particular HTTP connection from a client to a server.

RNA Sensor's information about our network was quite accurate. Application identification was excellent, as the sensor found obscure mail servers on non-standard ports and managed to get product and version information for most products. When it came to guessing operating systems , the results were mixed. RNA Sensor collected the least amount of information for embedded systems, such as printers and time servers.

RNA Sensor has piles of useful information - but it doesn't volunteer specific data if you don't ask for it. If you go to the dashboard, it doesn't have a big flashing light saying "Hey, look at this." RNA Sensor's "policy-free" architecture is great for the sophisticated network professional, but you've got to have an idea of what you want to know - or combine it with Sourcefire's Defense Center management console - before it becomes a very useful tool .

For example, when we got a complaint about poor performance at a site, we made an educated guess to look at the flow summary to see the top 10 connection initiators. RNA Sensor showed us a list, and the system that sat at the top of the list far outweighed any other device in the network. It had been compromised by a hacker and was actively looking for other vulnerable systems, consuming lots of bandwidth. Looking at detailed flow data from that system provided by RNA Sensor, we quickly identified the scanning pattern and even the IP address it to which it reported. When you do know what you're looking for, RNA Sensor can provide the data.