The Network Forensics Buyer’s Guide

Enterprises are doing more with their networks than ever before, but most IT organizations have decreasing visibility of their network traffic. Why? The primary reason is speed. At the same time that applications have become richer, networks have become faster.

Unfortunately, the volume of traffic on these faster networks outstrips the data collection and analysis capabilities of traditional network monitoring tools. Network analyzers that were originally developed for 1G or slower networks end up dropping packets or reporting erroneous results when tasked with monitoring today’s high-speed networks.

However, there is a solution that is not only essential for monitoring and troubleshooting 10G, 40G and, even 100G networks, but proves indispensable for finding proof of security attacks. Network forensics is the collection, storage and analysis of network traffic that uses network recorders to capture live network traffic and copy it to high-performance disk arrays.

As network forensics solutions continue to gain prominence within the enterprise, IT departments are often tasked with finding out what features and components a solution should have in order to be successful. Here, we’ve outlined the features you need and the ramifications you should consider, from data recording to data reporting, in choosing the best network forensics solution.

Solution Components
Network forensics solutions typically include two components:

  • A network recorder: An appliance configured with disk storage and Network Interface Cards that connect to network ports and record their traffic.
  • A network analyzer: A powerful software application that provides tools for searching through and analyzing recorded traffic. Ideally, the network analyzer should be able to export data for reporting and make it easy for various IT experts to collaborate on resolving problems with network performance or security.

Solution Features
Some of the features that SMBs and large enterprises should look for include:

  • Data recording: Data recording involves capturing network traffic from live network segments and copying it reliably to disk. Data recording must be fast and accurate and must never interfere with the transmission of the traffic being recorded.
  • Data storage: A network forensics solution must be able to store enough traffic to meet the post-capture analysis needs of the IT organization. For some organizations, this might entail preserving one day of traffic and for others, preserving multiple days of traffic.
  • Data analysis: Fast, easy-to-use, and intuitive search and filtering tools are essential. Capturing and storing data is meaningless if IT engineers cannot search through that data (potentially tens of terabytes of data) quickly and efficiently to identify the root cause of problems, discover proof of security attacks, and perform other types of forensics investigations.

To get a more complete checklist of the features and components your network forensics solution should have, check out our “Network Forensics Buyer’s Guide.”

Leave a Reply