Network Associates Technology Inc. has issued a controlled release of InfiniStream, a Carnivore-like sniffer on steroids that will significantly up the ante for forensic network analyzers when it enters general release.
During eWeek Labs exclusive test of the latest version, slated for general release in the next quarter, we were impressed with the huge capture storage capacity—a bit more than 2.5 terabytes in RAID 5 configuration. Equally remarkable was the full-line data rate, which we attained using a Gigabit Ethernet link from a mirror port off a Summit 48 switch from Extreme Networks Inc.
Security managers charged with investigating high-value network incidents will likely get quite a bit of use out of the product. Aside from the high capture rate and large storage capacity—capabilities that Network Associates gained in its August 2002 acquisition of Traxess Inc.—new replay and analysis features make InfiniStream a tempting tool.
The product is still far from complete, however, which is why Network Associates is keeping the product in limited release.
Our tests showed that the single-Xeon-processor InfiniStream still has some kinks to work out when it comes to processing the tremendous amount of data it captures. In one test scenario, we used the product to search for specific communication between two IP addresses. We systematically shrunk the time window of our search because the data mining process ate up huge chunks of time—on the order of 2 minutes to 10 minutes per search.
InfiniStream costs $70,000 for the hardware and data mining console software. A five-license, data reconstruction module (see screen) is also available for $15,000. Annual support contracts start at $4,500 per site and can be enhanced to provide next-day, on-site technician support.
Competitor Sandstorm Enterprises Inc.s NetIntercept processes data offline so that searches can be accomplished quickly. NetIntercept, which costs $29,500 in a dual-processor, 770GB configuration, can automate common tasks, including data analysis that results in reports; storing suspect data for more detailed analysis; and even deleting data, once it has been analyzed, to free disk space. These are all important features, and Network Associates should consider adding offline data analysis capabilities in a future edition of its product.
We were impressed with the large capacity and high capture rate that we saw during tests. The sky-high storage capacity means that with a 5 percent utilization rate on a Gigabit link, the InfiniStream device would be able to store nearly two and a half days worth of traffic. The device overwrites data using a first-in, first-out rule, which we think makes sense for most users.
Network Associates is open to developing higher-capacity storage devices for customers who want to keep more data available for analysis, company officials said.
The product was easy to install and use in tests; IT departments will have little trouble adding the device to the network.
Based on our work with InfiniStream, wed be surprised if it took more than a couple of people working part time to become expert users. Part of the reason for the simplicity of use is that Network Associates is encouraging users to tap its Sniffer analysis tools (sold separately) to do in-depth analysis. This shouldnt be a burden because Sniffer tools are already widely used in large enterprises, and IT managers are likely to have several Sniffer experts already on staff.
The data mining and analysis tools included in the version we tested were more than adequate for our rigorous search needs.
Because InfiniStream captures all network packets, we could effectively play back every HTTP session and “watch” where we went on the Web. Any instant message session that used the Internet Relay Chat protocol was also caught, and we could play back these messages. We could also play back telephone conversations that used Cisco Systems Inc.s Skinny protocol.
All this power means that IT managers should be familiar with workplace rules and legislation governing monitoring. It almost goes without saying that employees should be told that their work is monitored and recorded. Notification laws come into play when monitoring voice-over-IP conversations, and IT managers should be fully aware of these requirements when using InfiniStream.
Its likely worthwhile to spend some time with the corporate counsel and human resources to ensure that proper notification and use policies are in place.
Of graver operational concern should be the physical and logical security of the InfiniStream device. Our tests showed that the product, if stringent physical security is enforced, is adequately protected from hacking. But because it stores every packet, InfiniStream could become a juicy target for hackers, and IT managers should ensure that they carefully monitor activity on the box.
Physical security is a must because the box has several accessible network and Universal Serial Bus ports.
Senior Analyst Cameron Sturdevant can be contacted at [email protected]