It's not often that I bear witness to a perfect match of innovation and execution, but Niksun Ltd.'s NetDetector is as close as I've seen. To the casual observer, the NetDetector appears to be simply another IDS (intrusion-detection system), but it actually goes much further than that.
Rather than simply capturing the packet headers of monitored data streams, and examining them for possible attacks, the NetDetector stores every packet, from header to payload, in an indexed database. This not only permits an administrator to be notified when an attack has occurred but also to reconstruct the attack, keystroke by keystroke, packet by packet, and determine the exact commands issued by the attacker, in addition to any files or other data that was transmitted to or from the compromised system. This capability is accompanied by a truly intuitive management console, and full standards-based reporting tools. In short, the NetDetector is simply done right.
The hardware foundation of the NetDetector unit I tested is a SuperMicro SuperServer 6022L-6 with two 2.8GHz P4 processors, 2GB RAM, and six 72GB SCSI drives. The OS is tried-and-true FreeBSD with a custom kernel. The system can utilize any number of interfaces, from standard Ethernet to ATM, Packet-over-SONet (Sychronous Optical Network), and HSSI (High-Speed Serial Interface). My test unit came with three 100Mbps Ethernet interfaces. Each interface is treated as a separate entity within the configuration, allowing them to monitor completely different networks and group all captured data accordingly. In fact, all data sets represented within the management UI are considered interfaces, whether actual physical interfaces or finite data sets captured manually.
The internal storage of the unit I received is a JBOD (Just a Bunch of Disks) array, since the proprietary Stream database is file system-based. Packet captures can be stored across physical and logical partitions, and the NetDetector can be configured with FC (Fibre Channel) host bus adapters to integrate with an existing SAN environment to augment its internal storage capabilities.
For intrusion detection, the NetDetector relies on Snort, the open source IDS. Niksun has put quite a lot of work into integrating Snort into the NetDetector. As with any IDS unit, the Snort IDS engine can be enabled to monitor all traffic or a selected segment (based on filtering rules) on any given interface. Additionally, it's possible to select a specific time frame or segment and reprocess that traffic stream through the IDS engine. The NetDetector also has extensive event reporting and notification capabilities, and can send e-mail notifications and SNMP traps when an event is triggered.
From Reports to Re-enactments
The management interface is a Java-based console, accessible by Web browser. The main menu is cleanly presented and well-organized. Selecting "Start Analysis" brings you to a selection of monitoring interfaces. Once the appropriate interface is selected, an abundance of data is presented, but it's extremely simple to drill down into that data to pull out the relevant data set. Data presentation can be sorted by protocol, date, source, destination, attack, or signature type, and so on. As data is presented in a frame on the left, graphs can be plotted from that data in the main frame. These graphs are live, and selecting a time frame for closer inspection is done by dragging the mouse over the graph. As the graph detail expands, the hosts referenced by the newly drawn graphs are presented on the right, and all data related to those hosts change to match the time frame selected.
Once a particular attack or signature has been identified, every packet comprising that event is available, both in raw packet form or presented in an HTML rendering of its original format. In the lab, I passed an AIM chat session and some HTTP traffic on the monitor. When I later selected the AIM session, I was able to reconstruct the entire session and view it (in an HTML mock-up) from either user's perspective. The HTTP traffic was displayed as an actual Web page.
To get even more granular with the captured packets, you can export any capture in standard pcap (packet capture) format for importing into protocol analyzation applications such as Ethereal. You can also view the raw packet data through the NetDetector's internal packet viewer.
The NetDetector doesn't stop there, however. Rather than using a proprietary filtering language, you enter all filtering commands in standard bpf (Berkeley Packet Filter) format, easing the curve for anyone familiar with tcpdump, Ethereal, or other bpf-based applications. After relevant data has been selected, generating reports with charts and graphs is easy. The reports can be exported in HTML, PDF, and CSV (Comma-Separated Values) format, or e-mailed directly from the interface. Also, it's simple to have reports run at scheduled intervals and e-mailed to administrators.
While testing and working with the NetDetector, I found that nearly every option I could have asked for was available, from importing and exporting packet captures in a variety of formats to exporting graphs and so on. It's obvious that a great deal of design time was invested in the interface.
On June 18, the North American Security Dealers (NASD) mandated that brokerage houses must store all instant messages sent or received by their brokers for a period of three years. This is only the first such requirement placed on instant messaging in the enterprise, but it's certain that more will follow, as IM is quickly finding its place in corporations of every size. The technological side of these requirements is usually vague, but the function must be performed. Niksun's NetDetector can be easily adapted to this purpose, given its powerful searching, storage, and filtering capabilities. In fact, it's easy to implement filters on the monitoring interfaces to watch only traffic from certain IP addresses, IP subnets, protocols, protocol families, and so on. Also, the NetDetector has a scheduling facility that automates the exporting of captured data to other hosts for longer-term storage.
While truly an impressive tool, NetDetector comes with a few caveats. Obviously, encrypted traffic cannot be viewed, so HTTPS and SSH (Secure Shell) traffic remains obscured. Another is liability. If the NetDetector has captured and archived sensitive data, that data could be retrieved by anyone with administrative access to the system or potentially by subpoena. Niksun is aware of these issues and can build a NetDetector with filtering rules hard-coded to prevent even administrators from capturing data from sensitive hosts. Other than that, it's a best practice only to retain captured streams for a defined length of time.
Niksun has produced an impressive product in the NetDetector, both in the interface and the back end. If you need to go further, add-on products such as NetVoice can expand the capabilities of the NetDetector to permit decoding and analysis of VoIP data. In any case, the NetDetector will give you more information about your network than you would have thought possible.
The NetDetector was configured with two monitoring interfaces on separate LAN segments in the lab. One interface was plugged into a Cisco 2950 10/100 switch inside the network. The switch was configured to mirror packets from all interfaces to that port. The other interface on the NetDetector was plugged into a Cisco 2924 switch placed outside the firewall, with all packets from the firewall and Internet router mirrored to the NetDetector port. The NetDetector unit was left in place for a week.
I ran several load tests, using custom Perl scripts to generate connections between hosts inside and outside the network on random ports, and also to generate large amounts of HTTP, Telnet, and AIM traffic. Focused testing was done by using network resources normally, then inspecting the captures. Attack testing was conducted in a closed network with a single source and target system, although the NetDetector noted and logged hundreds of attack attempts seen on the external segment of the production network.
Editors note: Although Niksun has no formal arrangement with resellers in Australia, it does offer its products here and support is through its Singapore, Hong Kong and Tokyo partners.>