1. What is network forensics?
Network forensics is capturing, storing, and analyzing network data to find the root cause of a network security event or other problem events. The term borrows from the legal and criminology fields, with "forensics" defined as, "the use of science and technology to investigate and establish facts in criminal or civil courts of law." In a network, it means using capture tools to record network activities, allowing a user to determine the scope of the network event and have the evidence and facts needed to remedy it.
2. What is the value of continuous deep packet capture and active network forensics?
Today, network analysis tools are plentiful, but all rely on a sampling of data. You either analyze a sampling of data and hope to find the root cause of a problem, or you have to know what to look for while you are analyzing the active traffic. Too often, you don't know what to look for until after the traffic has already passed through your network. Having a complete record of your network traffic allows you to perform filtering, network analysis and forensics to uncover the root cause of a problem. Network forensics gives you a complete record of your network traffic and enables your network analysis and forensics tools to deliver an accurate report, not a guess derived from a mere sampling of data. Now you can better identify weak points in your network and determine where sensitive data is being siphoned off. Perform behavioral analytics on your network and improve the quality of your business intelligence. Reconstruct any portion of your network traffic and obtain evidentiary proof of network misuse or unapproved behavior.
3. How fast can the Solera DS appliances capture and stream-to-storage network traffic?
Solera Networks DS network forensics appliances can capture at sustained rates of 10Gbps without packet loss.
4. Where does a Solera DS appliance fit in my network?
A Solera DS appliance can be added to your network in a number of ways:
- Add a DS appliance to a SPAN (or mirrored) port off of a router. You can configure the traffic you wish to see; configure the SPAN port then connect the DS appliance directly to the SPAN port.
- You can install a DS appliance "in-line" via an optical splitter for splicing into a fiber network.
- For smaller networks you can install the DS network appliance via a "hub" (not a switch) so that all traffic on the hub is visible to the DS appliance.
- In certain environments it may be preferable to use several appliances; one in the DMZ, others on critical sub-nets, or configured by policy to capture specific traffic (such as VoIP).
- Deployment can be either through a hardened appliance specifically designed for very fast capture rates, or through the Solera Networks Virtual Appliance, which can be deployed on any server platform supported by VMware™.
5. How do I get access to the traffic (packets) captured by the Solera DS appliance?
The Solera DeepSee Forensics Suite is the key to unlocking captured network traffic to find real answers. The suite of forensics software lets you search through your traffic like you search the web and navigate through it the same way you would navigate through the files on your computer. DeepSee has the ability to index, search, and reconstruct all network traffic into meaningful flows, including network artifacts. In-depth packet analysis skills are not needed to uncover and replay meaningful network activities. The forensics software suite also lets you see who or what is using the most bandwidth on the network or pinpoint any anomaly. DeepSee Forensics suite includes:
There are also three additional ways to access the traffic:
- Traditional file utilities can see the captured packets via the virtual file system (VFS). These are industry standard LIBPCAP (sometimes called TCPDUMP) format files.
- You can configure one of the available "virtual interface devices" that come with the DS appliance. For instance you can configure a virtual interface to be a merge of all packets, then have your application open and read from this device.
- You can retransmit or regenerate the captured data to external network segments. This is done by using the regeneration utility or the Solera Web Console interface.
6. What applications work with the Solera DS appliance?
Since the DS appliance uses open industry standard formats (PCAP files and virtual Ethernet devices) for access to captured data, all commercial, custom, and open source applications that support these formats work without modification. Numerous third party applications are available to analyze captured traffic. View a sample list of software to be used in conjunction with deep packet capture devices.
7. How long does the Solera DS appliance store the network packets it captures?
The DS appliance uses a least-recently-used (LRU) storage scheme. In other words, when the storage of the DS appliance is full, space is made for new packets by deleting or removing the least-recently-used packets. In this way you get a "window" of time for packet storage.
The amount of network traffic you can store depends on the volume of your network traffic, how much of your traffic you decide to capture (you may filter and capture only a portion of your traffic), and the amount of available storage. You may capture a few hours of traffic if you have an entry-level Solera Networks appliance with storage of 1.5 TB. You may capture month's worth of traffic if you chose to capture only a portion of your traffic and have more storage capacity on your appliance. The Solera DS 5160 has 16TB of storage. If you choose to store your traffic history on external storage, you are only limited by the amount of storage you have. View examples of storage windows for DS Appliances at various storage configurations.
8. How many capture interfaces can the Solera DS appliance support?
The answer is dependent on the particular DS appliance. The entry level DS 1160 includes 4-port 10/100/1000 copper or 4-port 1000 Base SX Ethernet card. The DS 5160 has a 2-port 10Gb fiber card. Review other product configurations and details on capture interfaces here.
9. Can I apply filters or policies to limit what traffic will be captured?
Yes. Packets can be filtered based on IP version 4 or 6 addresses, MAC addresses, protocols, ports, port ranges, networks, and pattern-matching. Filtering can be done as data is being captured (Ingress) or after the fact during playback (Egress). Read more on filtering.
10. Can I just buy the Solera DS capture software and not the appliance?
Solera Networks is able to deliver unmatched capture speeds through the combination of DS capture software and commodity hardware that has been selected to provide optimal performance. While the combined software and hardware solutions provide optimal performance, customers have the option to deploy our software as a virtual appliance through a VM image or through a certified configuration for standard HP hardware. Get more information on our Certified Configuration and Virtual Appliance
11. Do Solera DS appliances support wireless networks?
Yes.
12. Are Solera DS appliances detectable on my network?
Solera DS appliances can be configured via a network mirror (SPAN port) or a network tap and can be configured without an IP address-therefore, they can sit undetected on your network