NinjaBox Speeds Packet Capture, Inspection

Endace's NinjaBox network appliance promises 100 percent packet capture.

Packet loss is a common occurrence for most network interface cards, whether theyre LAN or WAN interfaces. However, for certain security or financial services applications, 100 percent packet capture can be a must.

Endace, a small company based in Manukau City, New Zealand, will introduce on June 28 a network appliance that officials claim guarantees 100 percent packet capture and that can be used to boost the performance of intrusion detection systems such as the open-source Snort.

"We guarantee to not miss a packet on the network. We capture 100 percent of the packets on any SONET/SDH [Synchronous Optical Network/Synchronous Digital Hierarchy] or Ethernet network at any speed," said Mike Riley, CEO of Endace.

The NinjaBox Z-series appliance builds on proprietary NICs (network interface cards) that can take network flows coming into Intel-based multicore servers and split them up into smaller pipes, directing smaller portions of the flow to different CPUs in the multicore server. "We can take a big pipe, split it up and send to an Intel core and run whatever application the customer is running, whether its a protocol analysis or intrusion detection application," Riley said.

While he said the "killer apps" for the appliance are security-related, it can also be used for forensics or for high-performance applications such as those used by automated trading systems.

Users at Harvard University working with the Endace NICs said they provide the most efficient processing for Snort intrusion detection, said Bill Terwilliger, senior network security engineer in the University Information Systems Network Operations unit, in Cambridge, Mass.

"Snort is very processor-intensive. When you start using bleeding-edge rules, it requires more processor power because theyre not as efficient. Without the card, wed need four times the number of servers to do the same job," Terwilliger said.

/zimages/1/28571.gifTo read more about Snort and intrusion detection, click here.

The NinjaBox Z-series can allocate network flow traffic across up to eight application instances running in parallel. Applications written to an Intel hardware platform do not need to be altered, and the appliance does not require any configuration change.

Endace, which had marketed its NICs to OEMs that built systems around them, realized that more customers were buying the NICs to better optimize Snort performance.

Although existing protocol analysis products claim 100 percent packet capture, "It depends on how theyre constructed and what part of the network they are used in," Riley said. "Analysis and network monitoring tools deployed in a network tend to operate on a sampled basis. They dont get all the packets all the time."

Full packet capture is a requirement for thwarting attempted network intrusions, Terwilliger said. "One hundred percent packet capture is important. If you miss just one packet in the stream, the Snort process will potentially lose the entire attempt and possibly the event wont trigger."

Intrusion detection is done across the entire Harvard University network, which has some 500,000 IP addresses in it. The Endace NICs allow the Snort IDS infrastructure, which includes 12 systems running 48 Snort processes, to operate at multigigabits per second.

"Being able to handle all the packets gives us the accuracy we need and the speed of the card lets us quickly notify the community when we find compromised machines," said Jay Tumas, network operations manager for Harvards University Information Systems Network Operations group.

The NinjaBox Z-series, which runs on a Gigabit Ethernet link and on a Linux operating system, is available now starting at $15,000.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.