Network Instruments Adds Security Forensics

Observer 12 can retain data about network traffic that can determine the source and time of a security breach.

Network analysis vendor Network Instruments on March 12 launched a new version of its Observer packet capture and analysis line that allows users to see exactly what happened in a security breach.

The Minneapolis company leveraged the ability in its Gigastor network analyzer to capture and retain large amounts of data on actual network traffic to identify security breaches and then determine the source and time of the breaches.

"We added the ability to process data much like an Intrusion Detection System does," said Douglas Smith, CEO of the privately held company. "We can show which systems were attacked and compromised. We can recreate the zero-day situation, which is something you cant to with an IDS."

Smith believes the new capability, which applies Snort rules to the data to determine what happened, is complementary to IDSs and can add a new level of security.

"Snort looks at data and fills in logs, but it doesnt save the data. We take the data we saved [with Gigastor] and process it, so you can look at it along side Snort-style anomalies and intrusions," he said.

/zimages/2/28571.gifTo read more about Observer, click here.

As a part of the Observer 12 rollout, Network Instruments added a new reporting option that aggregates reports from multiple probes for more high-level reporting on network and application activities across an enterprise network. The new Observer Reporting Server, which links to multiple Observer Suite consoles, also allows reports to be grouped by multiple parameters, such as business units, user groups or device types.

"Theres one big bank we do business with that wants to do reporting based on small, medium and large branches," noted Smith.

Also new in Observer 12 is the ability to analyze and report on Multi-Protocol Label Switching networks used most frequently in carrier networks. The MPLS support allows reporting by quality of service, MPLS Tag, application or route.

For enterprise customers, Network Instruments added the ability to track Microsoft Server Message Block traffic and allow users to set alarms on errors. It can also decode and analyze proprietary VOIP (voice over IP) protocols used by Avaya and Nortel Networks.

Observer 12 can now track, monitor and report on IP V6 traffic. "By the end of 2008, 100 percent of all federal agency backbone networks have to be IP V6. We have full IP V6 forensics," said Smith.

Observer 12 is available now, as is the new Observer Reporting Server, which starts at $10,000.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.