For
Ease of decoding and analysis of huge amounts of stored network traffic is NetDetector's main strength but, because of its huge memory, it can detect in real time many time-delayed attacks that other security products cannot.
Against
Due to its use of Java applets, NetDetector can be controlled and configured using only Netscape Communicator 4.5 or above. However, support for Internet Explorer will be available in a future release.
Verdict
We don't often use the words 'new and exciting' in SC Magazine, but NetDetector deserves this accolade because it has identified a market in which it has no competition - at least for the present. It does not try to replace firewalls or IDS - rather it complements them by providing the tools to investigate a security breach, perhaps long after the event.

NetDetector from U.S. manufacturer NIKSUN (and available in the U.K. from Axial Systems) is described as 'the security camera for the network' and it's a good analogy. Think of your firewalls as the locks and security guards, and the intrusion detection systems (IDS) as being the alarm that detects unauthorized access. But locks, security guards and alarms are fallible, so most companies install security cameras to record who got in and what they did.

This is exactly what NetDetector does - acts as the security camera. It captures all the network traffic and allows a complete replay of how security was compromised - how they got in, where they went and what they did. NetDetector arms you with the information you need to shut down an attack and stop it from happening again in the future. It also informs you about exactly what the hacker accessed, and this can help mitigate the damage. In many cases it can identify the source of an attack and provide the evidence needed to bring a prosecution case to court.

NetDetector is designed to provide a second line of defense behind security tools such as firewalls and IDS, which have low transactional throughput levels and must be continually updated against new and emerging attack scenarios. The system provides real-time alarms in the event of a network anomaly and, with its data capture capabilities, it can provide post-event analysis information to reduce the time it takes to identify and recover from a network breach.

NetDetector may be placed behind a firewall to monitor both internal and external access to data (bearing in mind a large proportion of malicious attacks come from internal sources). All data monitoring is non-intrusive and carried out through passive taps and splitters that ensure NetDetector's monitoring of a security breach, whether successful or merely attempted, cannot be identified by a hacker. Nor can NetDetector itself be hacked because it uses passive monitoring and does not need to have an IP address on the network that it is monitoring. It does need to have an IP address for configuration and reporting, but this could be on an isolated subnet that has only one management PC on it.

It is worth noting that NetDetector can also sit outside of the firewall. The odds of a hacker being successful on their first attempt are slim and, by placing NetDetector outside of the firewall, it can collate information on attack attempts and prepare an evidence trail.

The unit can be configured with multiple interfaces, so that a single NetDetector can monitor up to eight network taps simultaneously. Another benefit to companies using NetDetector is its ability to record WAN and LAN traffic at the same time (multi-link PPP with WAN line decompression - STAC and WCP is supported). One hundred percent of the data traffic is captured and the large capacity (from 72Gb) of NetDetector's archive means that even the entry-level product can capture all full-duplex WAN traffic over a 2Mbps leased line, for example, for at least four days (assuming 50 percent utilization). In fact, there is no upper limit to how much may be captured as NIKSUN can supply higher capacity disk drives and even tape library storage. This is important because any breach may not be noticed immediately, and it is essential to be able to go back to the time of the breach and replay what happened.

However, it is also important to have the capability to detect network security anomalies as they occur, identifying and helping to prevent such incidences as denial-of-service (DoS) attacks. NetDetector currently has six predefined classes of alerts to help prevent damage by system intruders. All alarms are displayed on the console and can be sent out as an email or pager alert - SNMP alarms and pages can also be configured. From the detection and generation of an alert, it is easy to drill down into the data recorded and view a TCP re-assembly of the data.

The six predefined classes of alert are user configurable. For example, the Utilization Threshold enables you to specify a network utilization level over a period of time and might typically be set to send out an alarm if traffic exceeded 70 percent over a five-minute period. You can also generate an alarm if the number of TCP connections per host exceeds a certain figure. The number of host pairs involving a common address might be set to two - this is useful in detecting what could be the beginning of any denial-of-service (DoS) attack. It is also possible to monitor the number of bytes per host pair and this is valuable for monitoring large file transfers that might not be normal on your network.

Invalid IP addresses, which would indicate an unauthorized connection from an internal user or external hacker, can also generate alarms. Port scan alarming is designed to identify an intruder scanning port numbers looking for a vulnerable entry point. Although this can be achieved by standard IDS, the beauty of NetDetector is that it has long-term memory capabilities and can identify hack attempts on random port number scanning and time-delayed attacks, which IDS would miss.

The real advantage of NetDetector is the ease with which you can drill down and analyze the huge amounts of data that it records. From the simple drill-down screens, it is easy to analyze packet-level data of the events leading up to, and the detailed traffic of, the incident. All information can be archived either internally or externally and can also be replayed in its original format via the Ethernet port for further analysis, or to test whether network vulnerability has been fixed.
 

SC On-Line
SC Magazine
www.scmagazine.com