Given today's commercial threat landscape, network defenses are almost inevitably breached. To support incident investigation, evidence gathering, impact assessment and clean-up, Network Forensics Appliances deliver full-packet recording, in-depth analysis, event reconstruction, visualization and reporting.
In this EnterpriseNetworkingPlanet Network Forensics Appliance buyering guide, we look at how NIKSUN NetDetector Alpine combines intrusion detection with forensic capture and analysis to create a more holistic network security monitoring appliance. Where traditional network forensics focuses on post-incident investigation, NetDetector Alpine also employs signature and anomaly-based detection to spot attacks in-progress.
"We've taken the approach that's there's one network," said Dr. Rajesh Talpade, vice president of security products. "So we've built one security monitoring platform that allows very high speed capture of all packets going across that network, handling sustained throughputs approaching 20 Gbps."
To store and navigate large traffic volumes in a scalable manner, NIKSUN developed its own knowledge warehouse, applying patented techniques such as kernel-level load balancing. "NetDetector pulls captured network information out of the warehouse to analyze it," said Talpade. "For example, what traffic flows, sessions and applications are going through the network? Are there any misbehaving users or intrusions?"
To enable the latter, NetDetector uses an integrated IDS engine, driven by NIKSUN-certified signatures, anomaly thresholds and customer rules. But, unlike a dedicated IDS, NetDetector doesn't stop at generating alerts. "You can drill down to recreate application sessions and all of the collateral information surrounding each event," explained Talpade.
"If a rule is triggered, you can ask what target systems did that traffic go to? What was the payload? What did the target do right after the event? What data was exfiltrated as a result? All of this is possible because NIKSUN is capturing all network traffic and providing a platform for performing this kind of forensic analysis," he said.
Under the hood
To deploy that platform, customers install NetDetector Alpine appliances [PDF], ranging from branch office devices to 4U+ data center servers. All are passive sensors, connected to a network tap or switch span port.
- The NetDetector Alpine 3000 series includes the 3110 (stores 1TB) and 3610 (stores 2 to 4TB), capturing traffic on Fast Ethernet and Gigabit Ethernet ports.
- The NetDetector Alpine 4000 series includes the 4210 (stores 3 to 6TB) and 4310 (stores 8 to 16TB), captured on customized 10GE, OC3 and/or OC12 fiber ports.
- The NetDetector Alpine 8000 series includes the 8610 (stores up to 20TB internally, optionally augmented by external storage), 8610 X (up to 40TB, extensible) and 8610 DC (up to 200TB, extensible), capturing up to 20 Gbps through various interfaces.
NIKSUN works with each customer to assess needs and recommend a number and type(s) of appliances. According to Talpade, customers include government agencies, financial firms and large service providers, with deployments ranging from a few appliances to hundreds.
Each appliance must be installed where it can monitor traffic - usually on a DMZ or WAN uplink. "Larger organizations typically have multiple NetDetectors sprinkled around their network at critical points, all tied together by NetOmni," explained Talpade. NetOmni can centralize data analysis, monitoring/reporting and Detector management. "For example, one government [agency] deployed appliances throughout the world to capture traffic locally, with all data analyzed from a NetOmni back in the US."
Enabling forensic analysis
Talpade likens NetDetector's integrated cyber attack detection and analysis to the combination of physical motion sensors and surveillance cameras.
"Even with sensors, [intruders] with malicious intent will inevitably get in; insiders with malicious intent will inevitably sneak something out. Once you [acknowledge] this, the question becomes how do I know when I've had a break-in? How can I identify a breach long before my customers call or it shows up on the front page? NetDetector can [help you] see anything that sneaks in or out your network's back door."
For example, during a zero day attack, intruders exploit an unknown and thus undetected vulnerability. It may take days or weeks for IDS vendors to develop signatures. "Once you get signatures, you can retroactively run them on captured data [to] determine which systems got compromised last week and the impact of that compromise. You just can't do this with a network firewall and IDS - you need forensics," said Talpade.
Specifically, NIKSUN not only maintains its own IDS signatures, but partners with third parties like the Microsoft Active Protections Program to update signatures quickly - preferably before vulnerabilities are publicly disclosed. But when zero day attacks manage to slip through, unusual traffic may still be detected by NIKSUN's Dynamic Application Recognition (DAR) thresholds. Since many attacks are now sent over port 80 to evade IP/port-based thresholds, DAR uses application signatures to assess potential threats carried by both built-in public and customer-specified proprietary protocols. NetDetector can even peer into SSL-encrypted traffic when deployed with an external decryptor or by applying user-uploaded decryption keys.
When suspicious traffic is detected, NetDetector uses its ability to recognize application traffic to reconstruct TCP/UDP and application sessions. For example, DNS reconstruction can be used to quickly diagnose DNS spoofing and DoS attacks often used to penetrate networks before launching more targeted attacks against inside systems.
"We can recreate content across all the application payloads - documents, chat sessions, anything we can see flowing across wire. Now you have the visibility to do deep-grained network activity monitoring. If you're suspicious about a user, you can see what they're really going and the data they're sending," explained Talpade. "If you have NetOmni, you [can] sit in one location and get an idea of what's going on across your entire network, performing correlation for events [recorded by] multiple NetDetectors."
Putting NetDetector Alpine to work
To speed delivery, NIKSUN developed multiple reconstruction engines. "Depending upon what the user wants, where they're accessing data from and level of detail required, we can adjust to deliver needed information in the shortest possible time," said Talpade.
"For example, during an investigation into an incident at a particular system, you might be interested in just connections from [only] that system. In that case, all you need is TCP information, such as TCP connection peers, but not a lot of [document] reconstruction," he said.
"But if users reach a point where they want to dig deeper into any of those connections, because exfiltration is suspected, [we can] show all the documents or all documents marked confidential or display other content that requires application payload reconstruction," said Talpade. "NetDetector lets you start at a high level and drill deeper, very quickly, without moving data around the network or using separate systems."
However, there are cases where sharing events or forensic data with other security systems can be helpful. "Take ArcSight, for example. You may have an event in ArcSight - if you click on it, a query can be sent to NetDetector to return information surrounding that event, such as reconstructed sessions and applications. You can also configure NetDetector to send alerts to ArcSight using a published format like SYSLOG," he said.
By integrating IDS with forensic analysis, NIKSUN's NetDetector Alpine is well-positioned to tap rising interest in situational awareness and real-time investigation based on full-packet capture.
Customers already invested in another IDS or IPS may view NetDetector's IDS as duplication, but it is really complementary, passively detecting threats that bypass proactive defenses. NetXpert scripts can even be written to auto-launch event response actions. However, NetDetector Alpine is not an in-line IPS replacement.
Despite NetDetector Alpine's focus on integrated monitoring, NIKSUN's packaging can be a bit confusing. For example, NIKSUN also sells a Full-Function Appliance that combines NetDetector security monitoring with NetVCR performance monitoring. To learn more about NetDetector Alpine and other NIKSUN products, visit this link.