SANS reviews NIKSUN NetDetector and NetVCR

Published on: 08-15-2006

The NIKSUN NetDetector/NetVCR 2005 is like the “black box” on an aircraft. It collects all types of data, including packets, which can be analyzed later, when an organization suspects that some type of attack may have occurred. NIKSUN’s approach to storing and making accessible all event and traffic data — all the way down to the packet level — is different from most network analysis appliances, which try to simplify the user interface and storage, but remove too much detail in the process. This leaves an experienced operator who needs packet-level detail at a disadvantage. Instead of being able to follow his own hunch by drilling deeper into the data, he’s forced to trust a device’s analysis instead of his own. While convenient for less experienced staff, this lack of detail presents a security risk in cases in which closer examination of traffic and events are required.

The NetDectector/NetVCR 2005 maintains the entire packet and all related network traffic so that the alert or incident can be reviewed in context. This is all done from a browser-based interface with a full complement of graphs, reporting capabilities and drill-down options. The NetDetector/NetVCR 2005 can also assist the operator in determining bandwidth usage and gathering very specific details about which machine, protocol or service the activity is occurring on.

Monitoring total bandwidth can be helpful in planning network usage around normal and peak traffic periods, as well as for setting a security baseline for normal user behavior. The ability to drill down and see how that bandwidth is or was being used can help track performance issues down to the device and services levels. More importantly, NetDetector/NetVCR, when configured correctly, can locate suspicious patterns of behavior that might indicate employee misuse or the existence of attack code inside the network. By detecting and alerting to the suspicious behaviors as they happen, this type of device goes beyond the reactive signature- based approach in which you must know the attack code before the system can look for and find it.

Because the NIKSUN appliance stores the traffic in its database, operators can access details on historical events in full context, to the level of detail that the analyst requires, including the bit level. Many other traffic analysis, IDS/IPS appliances and firewalls only log “important” information, such as traffic that matches a virus, worm, or attack pattern. As a result, data that is considered “unimportant” in one case, such as a new, unknown attack — often called a 0-day attack — may not be detected. That seemingly unimportant data may be vitally needed once the attack is known and an organization realizes that they’ve fallen victim to it.

This appliance stores all the traffic packets so that a high-level analyst can get the details required to determine the full extent of the damage, while a front-line analyst still has a simple user interface with graphs and charts with which to look for potential problems.

Another powerful feature of the NetDectector/NetVCR 2005 is the ability to reconstruct application data to re-create viewable e-mail messages, Web pages, chat sessions, ftp sessions, and other traffic. This is particularly important when gathering information for litigation related to criminal hacking and employee misuse.

We use cookies to offer you a better browsing experience and to analyze site traffic. By using our site, you consent to our use of cookies.

Essential Cookies
Site Analytics