Rollout: Network Instruments' GigaStor
Like a surveillance camera for the network, NI's appliance captures and replays traffic for auditing, forensics and troubleshooting.
September 7, 2007
The ability to analyze network events is critical for today's enterprises. Besides regulations like HIPAA and Sarbanes-Oxley, more than 30 states require organizations to notify customers if personal information is exposed; fail to do so and you face fines and legal action. Having actual network traffic can help IT answer burning questions—was information taken, and what was the extent of the breach?
Network Instrument's GigaStor answers those questions and more. It captures, stores and can replay network traffic, including application sessions, file transmissions and Web site use, and provides excellent tools for understanding exactly what happened and who was responsible. Depending on the link it monitors, it can store days, months or even years of actual network activity. The largest available unit will store 48 TB of data; we tested a 12 TB version.
While targeted at network administrators as a troubleshooting and analysis tool, the GigaStor will also please internal and external auditors, corporate attorneys, and executives. When an application flakes out, information gets stolen or an employee violates policy, the first and often hardest question to answer is, "What happened, exactly?" This device can provide crucial evidence these constituencies need when investigating policy violations, compliance issues or cyber crimes.
For instance, suppose you're investigating an incident in which an employee sent a sensitive file named new_product.exe to an outside agency. Most competitive products record key statistics such as the file name, source IP address, transfer protocol and time of the transfer. However, when you reconstruct the event and confront the employee, he might argue that the file was a harmless executable that has the same name as a sensitive file. GigaStor records the actual file that was sent and allows you to see it. On the downside, the product is expensive. Buyers will have to carefully choose which network links will most benefit from real-time traffic capture. It also requires substantial time to learn to use it effectively. Finally, for a product with such clear applicability to auditors and lawyers, it lacks detailed documentation on how to hone in on a bad event and present it in a form that these audiences will easily understand. Network Instruments says it is aware of and addressing this issue, but it's an unfortunate omission.THIS IS A RECORDING
We didn't find our GigaStor particularly difficult to deploy. However, it is a complex product, and will require an investment in training to ensure you use it to its full potential. Once the GigaStor is placed inline on a network link, IT can access the appliance through Observer, a software program that runs on a network-attached PC. Observer provides the typical views of network utilization and performance and includes good tools for filtering on standard parameters, such as address, port or byte offset. We found the system on par with most major rivals in terms of network analysis. For example, it provides utilization data, MAC address lists, conversation pairs at several levels, VoIP statistics and good expert analysis. However, it doesn't handle video as well as Agilent's Network or Triple Play analyzers.
Where Observer and GigaStor really shine is in their ability to quickly change the longitudinal view (that is, the time period observed) of the captured information. You can store weeks, months or even years of traffic (see table below). You can also move captured traffic to your SAN, though you'll want to speak with Network Instruments about capture and write-to-disk rates.
Size of appliance
3 Mbps | 10 Mbps | 100 Mbps | 250 Mbps | 500 Mbps | 1,000 Mbps | 2,000 Mbps | |
---|---|---|---|---|---|---|---|
16 TB | 494 days | 148 | 14 | 6 | 3 | 1.5 | 0.75 |
32 TB | 1,234 | 370 | 36 | 15 | 7.5 | 4 | 2 |
48 TB | 1,975 | 592 | 59 | 24 | 12 | 6 | 3 |
Note that GigaStor does much of the forensic analysis on the appliance itself rather than shipping the information to Observer. This cuts down on the number of large files that need to be sent over the network and won't tax the processing power on the Observer PC. You can also transfer part of the captured file to the PC for analysis while the GigaStor continues to monitor the network.
screenshotClick to enlarge in another window |
When you run a forensic analysis, GigaStor looks for security events using the open-source Snort ruleset. If a rule indicates bad behavior, GigaStor reconstructs the traffic. Of course, you do need to be careful not to open a file that could be malicious.
If you're monitoring visits to inappropriate Web sites, you need only find a few packets in the conversation to enable GigaStor reconstruct the Web conversation in its entirety and produce the actual files and images that made up the retrieved pages. If you need to recreate an event, captured packets can be replayed into the production environment or a dummy network.
While the interface is similar to other analyzers, it requires an understanding of instances, a concept similar to a hybrid between a session and an account. An instance defines your access rights and establishes the logical relationship between your Observer and a particular GigaStor. This allows for multiple GigaStor devices to be managed by one Observer, or multiple Observers to access a single GigaStor.
The GigaStor product line stores data at rates up to 14.4 Gbps. The 12TB unit we tested stores data at rates up to 3.4 Gbps. It you want to see nearly everything that happens on your network, you may want to attach it to a backbone link, but you'll fill memory pretty quickly. If you're more interested in Internet activity, connect it to the link to your outside router. When the appliance reaches capacity, it erases the oldest traffic first. You can offload captured traffic to a secondary storage system, but you'll have to reload it back to a GigaStor appliance to analyze it.
As mentioned, Network Instruments still has work to do in making the information gathered from the GigaStor more directly relevant to auditors, lawyers and executives. It also doesn't provide guidance in the use of captured data for legal action. This can be problematic because there are strict procedures for handling forensic evidence, particularly if that evidence is to be used in court. Failure to follow these procedures can render forensic evidence inadmissible. Administrators should work with legal counsel to ensure that the IT department's data gathering and evidence handling practices will stand up to rigorous scrutiny.The appliances are available with a fixed storage capacity of 4, 8 or 12 TB. Prices range from $20,000 to slightly above $50,000, depending on the number and types of interfaces selected. The new, expandable GigaStor model, which lets IT incrementally add storage, comes as in 16, 32 or 48 TB versions with prices ranging from $60,000 to $90,000, again dependent on interfaces selected. Our price as tested was $50,000 for a 12TB unit, plus $2,895 for the Observer software.
Phil Hippensteel is an assistant professor of information systems at Penn State University and an industry consultant. Write to him at [email protected].
You May Also Like