NAI goes forensic with InfiniStream

A new forensic security tool from network security company Network Associates’ Sniffer Technologies unit gives network administrators the ability to capture and replay security breaches as they occur, identifying the source and cause of network security problems.

A new forensic security tool from network security company Network Associates’ Sniffer Technologies unit gives network administrators the ability to capture and replay security breaches as they occur, identifying the source and cause of network security problems.

The new product, called InfiniStream, captures all of a network’s traffic and stores that information on a hardware device called a “Capture Engine.”

A stripped-down Linux appliance outfitted with RAID-5 storage, the Capture Engine stores up to 2.8 terabytes of network traffic and can digest a wide range of streams including e-mail, Web, FTP, Internet Relay Chat, and voice-over-IP traffic, according to Chris Thompson, vice president of marketing at NAI.

The hefty storage allows the Capture Engine to hold up to two and a half days of network traffic on a 5%loaded full-duplex gigabit network, according to NAI.

As a result, administrators can capture and investigate information that occurs over the weekend — such as the recent Slammer outbreak — even if they don’t realize that an attack has happened until Monday morning, according to Thompson.

Old network traffic data is overwritten by newer information once the Engine’s RAID disks are full.

Two InfiniStream software applications, referred to as the “mining console” and the “reconstruction/replay software,” help administrators make sense of the stored data and allow them to locate and reconstruct attacks after the fact.

The mining console serves as the main user interface for the product, allowing administrators to manage one or more capture engines and search out network traffic based on traffic type, origin IP address, destination IP address, or time. The reconstruction/replay software is used to recreate and delve into network events and security breaches.

In the case of a virus, for example, the mining console could be used to identify the time when the e-mail carrying the virus arrived on a corporate messaging server.

The reconstruction/replay software could then be used to retrieve the actual e-mail message from the data stored on the Capture Engine. Administrators could see both the e-mail message and its file attachment and download the malicious attachment to a desktop or secure location for further analysis and identification, according to Thompson.

InfiniStream is being sold as an alternative to more application-specific forensic tools and as a solution for network and security administrators who want comprehensive intelligence about security threats at the network core as well as at the gateway, Thompson said.

For example, administrators could reconstruct an employee’s Web browsing session to determine whether or not the employee intentionally violated a company policy about visiting adult Web sites.

Despite the fact that the new device will not actually defend against viruses or hackers, InfiniStream will bridge a gap that currently exists between the worlds of network and security management, according to Paul Bugala, a senior analyst at IDC.

“What’s critical here is that an organization needs a platform to do both network analysis and forensic analysis. Having the ability to have a common data structure and then to play back scenarios is a bridge between the two,” Bugala said. “The network manager can understand where the network infrastructure was compromised, and the forensics person can do more detailed work in terms of securing the applications.”

Pricing for InfiniStream starts at $85,000 for one Capture Engine and the two software applications. The product is being marketed to service providers as well as government, law enforcement and financial services companies, according to NAI.

The product is available to some NAI customers immediately as part of a “controlled release.” However, InfiniStream will not be generally available until the third quarter of 2003, according to Thompson.

InfiniStream has been in use at a number of beta test sites; however, NAI was not able to produce customers willing to talk about their experience with the new product.