1. What is network forensics?
2. What is the value of having a record of all network activity?
3. How fast can the Solera DS Appliances record and index network traffic?
4. Where does a Solera DS appliance fit in my network?
5. How do I get access to the traffic and artifacts captured by the DS Appliance?
6. What applications work with the Solera DS appliance?
7. How long does the Solera DS appliance store the network packets it captures?
8. How many capture interfaces can the Solera DS Appliance support?
9. Can I apply filters or policies to limit what traffic will be captured?
10. Can I just buy the Solera DS capture software and not the appliance?
11. Do the Solera DS Appliances support wireless networks?
12. Are Solera DS Appliances detectable on my network?
13. Is there a fail over or backup system?
14. Is it possible to capture at data rates exceeding the Solera DS Appliance rated speed?
15. While investigating, searching, replaying network traffic, is the Solera DS Appliance continuing to capture?
16. Is directory integration available (LDAP, AD, etc)?
17. How is encrypted traffic managed?
18. What is the current storage limit for Solera DS Appliances
19. Can I capture on multiple capture ports?
20. Can I replay captured network traffic?
21. Is there a cost for the DeepSee Applications software?
22. As the oldest data is overwritten with the newest data, is there an option to make specific data persistent and protect it from being overwritten?
23. Are there alerts or notification around system functions (disk drive failures, power supplies, etc)?
24. Do we reply audio from VOIP traffic?
25. Is the console available as an application or is it web-based?
26. Does the Solera DS Appliance block any network traffic?
27. Maintenance & Support, what is included?

1. What is network forensics?

Active network forensics makes all network data flows instantly visible and replayable, enabling administrators to detect the full source, scope and context of any network security event and protect the network against further attack. Combining high-speed data capture, indexed storage, and comprehensive analysis tools, active network forensics is analogous to putting a security camera on your network. Doing so instantly exposes any specific network event, making even the most sophisticated and targeted network attacks plainly visible.

Top

2. What is the value of value of having a record of all network activity?

Today, network analysis tools are plentiful, but all rely on a sampling of data. You either analyze a sampling of data and hope to find the root cause of a problem, or you have to know just what to look for while you are analyzing the live, active traffic. Too often, you don’t know what to look for until after the traffic has already passed over your network. Having a complete record of your network traffic allows you to perform filtering, analysis and forensics to uncover the root cause of a problem.

Astute organizations now understand the need to shift resources from a simple “prevention” mode to a complete detection and remediation system. After all, the worst attacks are the ones you never know about.

Active network forensics levels the playing field by allowing network administrators to “see” attacks, understand their root cause, and then configure the network to prevent their recurrence. Unlike slow, simple network data capture devices that require tedious analysis of sample data by skilled security administrators, Solera Networks’ active network forensics appliances enable effective interrogation of any event. They capture everything at 10 Gbps speeds, and can easily isolate specific events and then assemble a complete picture of what occurred, enabling a swift and effective response by network personnel, even those with only modest security skills.

Top

3. How fast can the Solera DS Appliances record and index network traffic?

Solera Networks DS Appliances can capture, index and storege at sustained rates of 5.0 Gbps of iMix traffic (Peak rate to 10 Gbps) without packet loss. Sustained, iMix capture performance is conducted with a combination of packet sizes averaging 422 bytes and capturing 99.9999% of all packets on a continuous basis. This is a worst-case test and users should expect to see better performance on regular use.

Top

4. Where does a Solera DS Appliance fit in my network?

A Solera DS appliance can be added to your network in a number of ways:

• To a SPAN (or mirrored) port off of a router. You can configure the traffic you wish to see; configure the SPAN port then connect the DS Appliance directly to the SPAN port.
• You can install a DS Appliance “in-line” via an optical splitter for splicing into a fiber network.
• For smaller networks you can install the DS Appliance via a “hub” (not a switch) so that all traffic on the hub is visible to the DS Appliance.
• In certain environments it may be preferable to use several appliances – one in the DMZ, others on critical sub-nets, or configured by policy to capture specific traffic (such as VoIP).
• Deployment can be either through a hardened appliance specifically designed for very fast capture rates, or through the Solera Networks Virtual Appliance, which can be deployed on any server platform supported by VMware™.

Top

5. How do I get access to the traffic and artifacts captured and indexed by the Solera DS Appliance?

The captured network packets can be viewed in three different ways:

• Traditional file utilities can see the captured packets via the virtual file system (VFS). These are industry standard LIBPCAP or sometimes called TCPDUMP format files.
• You can retransmit or regenerate the captured data to external network segments. This is done by using the regeneration utility or the Solera Web Admin. interface.
• Solera DeepSee&reg will reassemble the actual artifacts (files) from the raw packets that can be viewed by their native applications.

Top

6. What applications work with the Solera DS appliance?

Since the DS Appliance uses open industry standard formats (pcap files and virtual Ethernet devices) for access to captured data all commercial, custom and open source applications that support these formats work without modification. DS Appliances also include an open REST-based API that allows you to integrate with any security tool that delivers network or security alert data. Current integrations include Splunk, Palo Alto Networks, Sourcefire, FireEye, ArcSight, and SonicWALL. Solera Networks also has the Universal Connector for Firefox that provides integration with any other security or network tool that can be manage through Firefox.

Top

7. How long does the Solera DS appliance store the network packets it captures?

The DS Appliance uses a least-recently-used (LRU) storage method. In other words, when the storage of the DS Appliance is full, space is made for new packets by deleting or removing the least-recently-used packets. In this way you get a “window” of captured network traffic.

The amount of network traffic you can store depends on the volume or speed of your network traffic, how much of your traffic you decide to capture (you may filter and capture only a portion of your traffic), and the amount of available storage. You may capture a few hours of traffic if you have an entry-level Solera Networks appliance with storage of 3TB. You may capture month’s worth of traffic if you chose to capture only a portion of your traffic and have more storage capacity on your appliance. The Solera DS 5200 has 16TB of on-board storage dedicated to capture. If you choose to add additional external storage, you are only limited by the amount of storage you have available.

Top

8. How many capture interfaces can the Solera DS Appliance support?

The answer is dependent on the particular DS appliance. The entry level DS 1200 includes four 10/100/1000 copper Ethernet ports or four 1Gb fiber interfaces. The DS 5200 has a two 10 Gb fiber ports and our 10/100/1000 copper Ethernet ports. Other product configurations and details on capture interfaces are available at: www.soleranetworks.com/products/product-comparison.php

Top

9. Can I apply filters or policies to limit what traffic will be captured?

Yes. Packets can be filtered based on IP version 4 or 6 addresses, MAC addresses, protocols, ports, port ranges, networks, and pattern-matching. Filtering can be done as data is being captured (Ingress) or after the fact during playback (Egress).

Top

10. Can I just buy the Solera DS capture software and not the appliance?

Solera Networks is able to deliver unmatched capture speeds through the combination of DS capture software and commodity hardware that has been selected to provide optimal performance. While the combined software and hardware solutions provide optimal performance, customers will have the option to deploy our software as a virtual appliance through a VMware&trade image.

Top

11. Do Solera DS Appliances support wireless networks?

Yes. Solera DS Appliances generally sit in a central location and record all traffic that crosses over a switch or hub, including wireless traffic that crosses this point.

Top

12. Are Solera DS Appliances detectable on my network?

Solera DS Appliances can be configured via a network mirror (SPAN port) or a network tap and can be configured without an IP address and therefore sits undetected on your network.

Top

13. Is there a fail over or backup system?

Each appliance is provided with dual power supplies and redundant storage (RAID 5, excluding the DS 1200). Optionally, a network tap or optimizer can be used to distribute identical traffic to multiple Solera DS Appliances.

Top

14. Is it possible to capture at data rates exceeding the Solera DS Appliance rated speed?

Yes, using a network tap or optimizer in a load-balancing scenario, data can be split and directed to two or more capture devices. This theoretically improves the overall rated capture speed by the number of Solera Appliances being utilized. The data can be accessed using a single console user interface available in the Solera Network C200 Central Management Console (Available May, 2011).

Top

15. While investigating, searching, replaying network traffic, is the Solera DS Appliance continuing to capture?

Yes, while some actions utilize more CPU and system memory than others, the Solera DS Appliances are designed and configured to manage these tasks simultaneously.

Top

16. Is directory integration available (LDAP, AD, etc)?

Yes, Solera Networks currently supports Active Directory and LDAP services.

Top

17. How is encrypted traffic managed?

Encrypted traffic is managed like all other traffic. It is captured in its native form and not modified. You have the option of decrypting the traffic prior to recording using an appliance from our partner Netronome (www.ssl-inspector.com). The SSL Inspector Appliance adds the ability for Solera Networks appliances to capture SSL traffic unencrypted.

Top

18. What is the current storage limit for Solera DS Appliances?

Solera DS Storage direct attached storage:

The H200 Series Head-end Appliances can connect to 200TB of redundant disk space (Raid 5, Direct Attached Storage). This configuration requires one H200/202 and twelve Solera DS Storage Units. Each DS Storage unit provides 24TB of raw storage (20 TB Raid 5). Two of the twelve storage units are used for index and summary data. The remaining ten DS Storage Units provide capture storage (Total 200TB).

SAN Storage:
Using an H200 Series Head-end Appliance with a qualified SAN, the current storage limit is 500TB.

Load Balancing:
Using multiple appliances in a load balance scenario increases the storage capacity by the number of identical capture appliances/storage configurations being used. Data from multiple appliances can be accessed using a single console user interface available in the Solera Network C200 Central Management Console (Available May, 2011).

Top

19. Can I capture on multiple capture ports?

Yes, you can capture on multiple ports. If you need to capture on more ports than are available on your appliance, we recommend network taps/optimizer to aggregate data prior to sending to the Solera Appliance if possible.

Top

20. Can I replay captured network traffic?

Yes, captured traffic can be replayed or exported as a .pcap file for further analysis. Options exist to replay traffic at various network speeds (10Mbps, 100Mbps, 1Gbps, etc) and can be filtered (Timespan, Source IP, Dest IP, Port, Protocol, MAC Address, VLAN, etc.). The Solera DS Appliance also has the ability to replay traffic immediately after capture (near real-time) to an external device with filter options using standard Berkley Packet Filtering (BPF).

Top

21. Is there a cost for the DeepSee Applications software?

The DeepSee Applications are provided with each Solera DS Appliance at no additional cost.

Top

22. As the oldest data is overwritten with the newest data, is there an option to make specific data persistent and protect it from being overwritten?

Yes. You may store captured data in .pcap files and store them elsewhere for analysis at a later time.

Top

23. Are there alerts or notification around system functions (disk drive failures, power supplies, etc)?

Yes. The DS Appliances deliver alerts relating to system performance.

Top

24. Do we reply audio from VOIP traffic?

Solera Networks Appliances have the ability to replay or export captured VOIP traffic for analysis using tools that reconstruct VOIP sessions.

Top

25. Is the console available as an application or is it web-based?

The Solera Network Console is accessed via a web browser. Internet Explorer and Firefox are fully supported. Access to appliance functions and captured data is also available through the command line interface (CLI) as well.

Top

26. Does the Solera DS Appliance block any network traffic?

Solera DS Appliances are designed to capture data passively on the network. Solera Networks partners with other technologies that specialize in detecting “known” events and acting on them in some form (blocking, redirecting, quarantining, etc.).

Top

27. Maintenance & Support, what is included?

Refer to the support section of our website

Top