Solera Networks Adds Network Traffic Classification, Granular Application Awareness

Solera Networks has introduced traffic classification and identification with deep packet inspection, including highly detailed application information and visualized geolocation, to its network analysis platform. Solera OS 5, supporting the DeepSee suite of tools, also features an improved database engine for better performance and dynamic updating of dashboard displays.

Solera is among a handful of vendors that capture, store and analyze all network traffic. These capabilities are generally focused on security, but have considerable value for network operations as well, as they help ops teams determine the cause of network outages and performance issues.

"The goal is to catch an incident before anyone sees a problem, before it impacts a user," says the security administrator for a large government contractor. "But, if there's an incident or a machine is acting slowly, you can immediately go back--we're currently configured to go back a full month--to trace the problem to the point of origin."

This class of tools is designed to literally see everything that goes on across the network and enable enterprises to spot problems and investigate issues quickly. Solera describes its capabilities as network forensics. Forrester Research has labeled it network analysis and visibility (NAV), maintaining it is essential to enforce a "zero trust" approach to enterprise security (trust no one, see everything). Without this ability to capture, store and analyze many terabytes of network data, enterprises have to rely primarily on manual log review and "snapshot " packet capture that doesn't provide historical data and may not "see" malicious activity, such as a botnet "phoning home" to a command-and-control server.

This kind of capability is designed in large part to dramatically reduce time to resolution of security and network incidents, getting business systems back on line and fully functional.Full network analysis and visibility has become increasingly important in the face of what Solera characterizes as next-generation threats, such as Stuxnet, advanced persistent threats (APTs), bots, sophisticated malware and massive insider incidents, such as WikiLeaks.

"Advanced persistent threats is the whole reason to be for network forensics," says Pete Schlampp, Solera VP of marketing and product management. "Once they get on your network, they have multistage and multivector capabilities and can morph identify." Network forensics allow organizations to analyze the changes over time, identify the root causes and remediate.

The new DPI capabilities enable Solera to identify 500 applications, which it organizes into 28 families. Solera says that it extracts some 5,000 descriptive details to support its analysis and reporting. The 5.0 engine automatically generates high levels of detail about applications. For example, previously you had to deconstruct an e-mail message to obtain the address and other information. Now, you can automatically extract information such as sender, recipient, subject line and attachments from Gmail.

The geolocation feature creates visual maps of traffic between IP addresses, enabling operators and analysts to quickly begin to identify and address issues.

"The geolocation piece has increased productivity insanely," says the defense contractor security administrator. "Before, I had to load another tool to trace where the IP was. Now it's all integrated in one." Data can be exported in a file to Google Earth.The new database engine release supports what Solera says is real-time classification of network traffic on an enterprise scale. Solera says that one customer's average network utilization on a one Gbit network produces 36TBytes of data in a month. Dashboard displays are updated dynamically to reflect current traffic or frozen to begin an investigation.

Solera also provides native integration for several products to move from alerts generated into investigations and provide additional data. Current partners include Sourcefire and SonicWALL for IPS; Palo Alto and QOSMOS for DPI/classification; Splunk and ArcSight for SIEM; and lgo management and FireEye for malware analysis.

See more on this topic by subscribing to Network Computing Pro Reports Research: WAN Security (subscription required).