NAI goes forensic with InfiniStream

A forensic security tool from network security company Network Associates' Sniffer Technologies unit gives network administrators...

A forensic security tool from network security company Network Associates' Sniffer Technologies unit gives network administrators the ability to capture and replay security breaches as they occur, identifying the source and cause of network security problems.

InfiniStream captures all of a network's traffic and stores that information on a hardware device called a "capture engine".

A stripped-down Linux appliance outfitted with Raid (Redundant Array of Independent Disks) 5 storage, the Capture Engine stores up to 2.8 Tbytes of network traffic and can digest a wide range of streams including e-mail, web, File Transfer Protocol,  Internet Relay Chat and voice-over-IP traffic, said Chris Thompson, vice-president of marketing at NAI.

The hefty storage allows the Capture Engine to hold up to two and a half days of network traffic on a 5% loaded full-duplex gigabit network.

As a result, administrators can capture and investigate security breaches that occur over the weekend - such as the recent Slammer outbreak - even if they do not realise that an attack has happened until Monday morning.

Old network traffic data is overwritten by newer information once the Engine's Raid disks are full.

Two InfiniStream software applications, the "mining console" and the "reconstruction/replay software", help administrators make sense of the stored data and allow them to locate and reconstruct attacks.

The mining console serves as the main user interface for the product, allowing administrators to manage one or more capture engines and search out network traffic based on traffic type, origin IP address, destination IP address, or time. 

The reconstruction/replay software is used to recreate and delve into network events and security breaches.

In the case of a virus, for example, the mining console could identify the time when the e-mail carrying the virus arrived on corporate messaging server.

The reconstruction/replay software could then be used to retrieve the actual e-mail message from the data stored on the capture engine. Administrators could see both the e-mail message and its file attachment and download the malicious attachment to a desktop or secure location for further analysis and identification.

InfiniStream will be sold as an alternative to more application-specific forensic tools and as a solution for network and security administrators who want comprehensive intelligence about security threats at the network core, as well as at the gateway.

Administrators could reconstruct an employee's web browsing session to determine whether or not the employee intentionally violated a company policy about visiting adult websites.

Despite the fact that the device will not actually defend against viruses or hackers, InfiniStream will bridge a gap that exists between the worlds of network and security management, according to Paul Bugala, a senior analyst at IDC.

Pricing for InfiniStream starts at $85,000 (£52,531) for one capture engine and the two software applications. The product is being marketed to service providers as well as government, law enforcement and financial services companies, according to NAI.

The product is available to some NAI customers immediately as part of a "controlled release". However, InfiniStream will not be generally available until the third quarter of 2003.

Read more on IT risk management