20/20 Foresight

InfiniStream puts some serious hardware and software to work to make this playback happen. The capture engine hardware sits in a 4U rack-mount cabinet weighing roughly 150 pounds. This substantial cabinet holds a server with two Gigabit Ethernet and two 10/100Base-T network interfaces, 1 GB of RAM and nearly 3 TB of raw storage that format to 2.2 TB in a RAID 5 configuration. InfiniStream is powered by three redundant power supplies; all its power supplies and hard disks are hot-swappable.

When installed, the Gigabit Ethernet ports are used for network monitoring. One 10/100 interface is designated for console and data-mining application access, the other for technicians. The vendor recommends keeping the second port disconnected unless maintenance on the system is under way.

InfiniStream isn't for minor players. With a starting price of $75,000, you have to be seriously in the game.

Use With Care

Two software applications are needed to configure and manage Infinistream. The first, icesetup, is a text-based configuration program for initial system setup and major operational shifts. The mining console is a Windows application used for searching, examining and replaying captured and stored network data.You'll want at least a gigabyte to run this baby. Even simple mining requests involve searches through many gigabytes of raw data, and starving the application for memory means slowing everything down.

Using InfiniStream properly is a lesson in restraint. There's a temptation to dive into the data and swim around for a while, playing with mining requests and application replays. This is fine if you have a lot of time to kill, but InfiniStream's strength lies in backing up an IDS to provide a perfect replay of a crucial few seconds of a recent security event. If you just want to splash around, InfiniStream is capable, but not quick.

Icesetup's menus make it simple to configure InfiniStream's Linux-based capture-engine software. IP addresses for various components are established, the network feed to be monitored is defined, the status of the storage subsystem is ascertained, and other basic parameters are decided. There's one small quirk, however--it's easy to assume that network traffic capture will begin automatically when the setup process ends, but you must explicitly begin the capture.

If InfiniStream is connected to the network via a half-duplex span port, only the information traveling in one direction will be captured. If your router has only half-duplex ports, two ports can be used as scan ports. InfiniStream can then bind the two Gigabit Ethernet feeds into a single data stream that carries Internet interactions from both ends.

Data CollectedThe vendor states that the capture engine will capture and store data at full Gigabit Ethernet line rate. We configured the engine to capture the entire Internet feed for a major university, averaging 250 Mbps. At this average, and with the storage system configured as a RAID 5 array, InfiniStream held approximately 24 hours of data. This is a "your mileage may vary" number. InfiniStream easily kept up with the data stream of our test situation, and left no mysterious voids in any transactions we examined.

InfiniStream is marketed as a network forensics device, and evidence of security compromises is stored on the system's hard disk. After an IDS points to a problem, an administrator may examine the data packets by using either the InfiniStream data-mining tool, more traditional Sniffer packet-analysis products or application playback.

Before initiating a search, you should have an idea of what you're looking for. The graphical interface of the data-mining tool makes it easy to define a time span, a set of IP addresses, and a set of services and protocols that you want to see. The results are displayed in panes within the window, and clear controls let you scroll through the data, watching conversations and interactions. The screens don't let you look at individual packet contents, though, and the ease with which you can find higher-level information makes this shortcoming stand out. It's hard to criticize a product for failing to do something it never promised, but the InfiniStream system will be far more useful when there's tighter integration between it and the other products in the Sniffer family.

You can take a deep peek at packet contents by saving the mining results and moving the file to a system with a Sniffer monitoring product, such as Sniffer Distributed or Sniffer Basic. Moving the data doesn't take much time, though the extra step can prove annoying.

The annoyance level goes down, however, when you begin to look at the application replay capabilities of InfiniStream. When the license for application replay is installed, you can replay sessions involving HTTP, FTP, VoIP, SSH, HTTPS, POP3, SMTP, IMAP4 and IRC protocols. You can, in fact, be very, very nosy. The replay feature not only lets you use InfiniStream to follow up on intrusion-detection alerts, but makes it possible to watch and record the activities of individual users stretching over a much longer period of time.

Two incidents observed during testing indicate the sort of use to which InfiniStream can be put. In the first, an external attacker succeeded in compromising the SAMBA server on a particular Web site, then used that SAMBA server to exploit other servers within the domain. This was a new exploit and the IDS merely indicated the results. By correlating the time stamp from the IDS activity to the InfiniStream captured data, we were able to see precisely how the attacker had pulled it off. In another case, a network user was downloading movies through an IRC client and in pieces so as not to trip excessive bandwidth alerts. InfiniStream replayed the user's session, showing the movie request and download.

There's one danger to this faithful application playback. Worms, Trojans, viruses and other cybernasties will be recorded and played back, and network infection (or reinfection) could occur.Keeping It Safe

InfiniStream is a useful addition to the enterprise security toolbox. It's a relatively young product, and users can hope that future releases of the software will bring greater integration with packet decoders and IDS applications. When that happens, InfiniStream could become invaluable to companies that want to understand and respond--technically and legally--to those who would criminally abuse corporate networks.

Curtis Franklin Jr. is a writer and editor living in Gainesville, Fla. Write to him at [email protected].

Post a comment or question on this story.