PacketMotion PacketSentry 2.0.3

Mix a pinch of Microsoft Active Directory, a dash of network monitoring and an ounce of paranoia, and what do you get? A product to satisfy the questions you have about what your users are doing on your network, in the form of PacketMotion's PacketSentry. Were your interns using instant messaging again when they should have be working on the final draft for their summer project? Did your contractor access the financial share on one of your servers? PacketSentry lets you know by correlating network activity to the users responsible.

I tested PacketSentry, which consists of probe and manager appliances and an Oracle database server for storing data collected by the probe, in our University of Florida Real-World Labs®. The probe is a 2U appliance designed to hang off a monitoring port or network tap. Ideal placement is directly in front of a server farm to monitor all activity to and from the servers, or at the Internet boundary of a remote office to monitor all inbound and outbound traffic. For my tests, I set up a small network with several Microsoft Windows XP hosts and a Windows Server 2003 server providing Active Directory services, DNS and file sharing.

The PacketSentry Manager 1U appliance can be placed anywhere on the network, provided that it is accessible to the appropriate administrators. The PacketSentry client software must be installed on a Windows PC to connect to the manager. The manager appliance has a 10/100-Mbps network port, while the probe supports only gigabit copper or fiber. Companies without gigabit network links will need to purchase a 100/1000 media converter.

For PacketSentry to be aware of users, groups and computers, it must have an Active Directory account with access to the domain directory and security event logs. PacketMotion provides excellent installation and setup documents showing how to create a nonadministrator account that has the appropriate access to those logs, which is perfect for those paranoid admins who don't want to put domain administrator credentials on a security appliance.

Keeping Tabs

The PacketSentry client interface is straightforward. The client window has several viewing panes that change based on the highlighted item. When the "users" icon is clicked on the left-hand side, for example, the right-hand side shows all the Active Directory users. Right-clicking on a user name gives options like viewing all applications, IP addresses or hosts used. On the lower right side, a graph shows application usage by bandwidth.

The applications tab in the client shows 166 supported applications and network protocols that are split up into application groups called Bad, E-mail, Encrypted, Enterprise, File Transfer, Instant Messaging and more. I was impressed by the wealth of protocols supported. I used SSH, Secure IMAP, SFTP and an IPsec VPN, which were all identified properly and attributed to the correct user, even when nonstandard ports were used. PacketMotion works with clients to add in support for custom network applications. Enterprises looking to limit usage of IM and peer-to-peer applications will appreciate the wealth of supported protocols. I tested AIM, BitTorrent and eDonkey with perfect detection. PacketSentry even gathers metadata that shows what files were being downloaded, and the user names for IM and with whom conversations were initiated.

PacketSentry also will detect port scans and worm activity. I tested this by running a couple of different network scans using nmap. Each scan was picked up, labeled as port scan or worm and mapped back to the user who was logged in at the time.

Network activity generated by hosts on the network that aren't logged into Active Directory show up as unclassified. The applications and protocols are logged with the source and destination IP addresses but dn't have an associated user.

User Reports

Reporting functions were basic but thorough. I selected a date range, the type of application of interest and whether I wanted the results based on user names or hosts. The result provided an easy to read graph and table listing. The data can be exported to a comma-separated value file to be imported into your favorite spreadsheet application for manipulation. PacketMotion can even verify that the last days of an employee were not spent performing malicious acts on the network. I created a report for two different weeks of data and easily compared the differences in network traffic and application usage. I could see there was more IM activity and encrypted connections in the last week than there had been in previous weeks. A company could easily re-create this process to verify that access was not made to files outside of the former employee's purview and ensure that no data was altered or deleted.

PacketSentry is a great product to fill in the gaps where IDS and network-flow monitoring fall short--provided your environment uses Active Directory. It assists with the who, where, what and when necessary to investigate network and personnel issues. Note, though, that it's not a replacement for a network forensic device as it does not capture the network traffic to disk for in-depth review.

John H. Sawyer is a network security engineer at the University of Florida and a GIAC Certified Firewall Analyst and Incident Handler. Write to him at [email protected].