Network Forensics Appliance Buying Guide - Page 3

Network Forensics Appliances can provide situational awareness and incident preparedness. In this buying guide, we examine the capabilities and features they offer so you can make the best buying decision.

 By Lisa Phifer
Page 3 of 3   |  Back to Page 1
Print Article


Creating a requirements checklist


Given benefits you expect a Network Forensics Appliance to bring to your organization, it's time to identify required capabilities and features.

  • Full-packet capture: Network Forensics Appliances are passive devices, designed to connect to a span port or tap on network segment(s) with good visibility. As such, they won't slow your network down – but they must still keep pace with highly-utilized links. Select an appliance/model with network interfaces, RAM, and CPU sufficient to handle your network's peak throughput.
  • Packet storage and indexing: Network Forensics Appliances not only store terabytes of traffic, but index it for rapid retrieval and analysis. This is done by generating metadata, stored with packets, so applications can quickly filter and pivot on values like source/destination IP/port, URL and user. Match storage capacity to average throughput and desired look-back period. If growth is likely, consider external storage support.
  • Portability and scalability: Most Network Forensics Appliances are dedicated devices, optimized to receive and store large packet volumes at very high rates. But some vendors also sell portable or VM appliances to be used by on-site investigators. Conversely, some vendors offer options needed by large or distributed deployments, such as management consoles to administer and extract data from multiple appliances.
  • Session reassembly and replay: Network Forensics Appliances do the heavy lifting, but it is their applications make that data valuable by presenting actionable insight to users. Case in point: Although products may display individual packets (directly or by launching a LAN analyzer), they must also decode packets, reassemble them into sessions, fingerprint applications and correlate flows. Look at how quickly this occurs and how easy results are to use.
  • Artifact reconstruction and visualization: Another capability associated with Network Forensics applications is artifact reconstruction – identifying and displaying files, documents, email messages, text messages, images and videos, media streams and voice calls, etc. Consider whether the product presents important artifacts in a usable way – for example, can you search for or highlight sensitive data elements, browse images, or
  • Forensic analysis tools: Network Forensics applications must balance information breadth and depth against speed of delivery. But when deep digging is called for, analysis tools must enable efficient filtering and pivoting through captured traffic. Advanced features include support for threat signatures (published and custom) and third-party interfaces that make it easy for admins to click-and-drill from an external alert into Network Forensics.
  • Report generation: Finally, Network Forensics applications must produce documentation suited to target audiences (e.g., compliance reports, breach impact summaries, user activity reports, maps showing geographic traffic flows). Reports may be canned or custom, scheduled or ad hoc, but should be flexible enough to deliver the data each user needs, when they need it, without distracting details.

Network forensics appliances vendors

These are just some of the many features and capabilities currently found in Network Forensics Appliances. Vendors in this market include AccessData, Narus, NetScout, Network Instruments, NIKSUN, Solera Networks, RSA and WildPackets. To more fully illustrate this category over the coming weeks, EnterpriseNetworkingPlanet will profile Solera Networks' DS Appliances, RSA's NetWitness, and NIKSUN's NetDetector.




Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.

This article was originally published on Sep 16, 2011
Get the Latest Scoop with Networking Update Newsletter