Network forensics is defined as the capturing, storing, and analysing of network data in order to find the root cause of a network security (or other problem) event. The term comes from the legal and criminology fields, where "forensics" is defined as, "the use of science and technology to investigate and establish facts in criminal or civil courts of law." Within the network, forensics is used as a means to capture and record network activities, allowing both the determination of the scope of the network event and the provision of the evidence and facts required to remedy it.
In today’s market network analysis tools are plentiful, but all operate on the premise of sampling of the network data. In order to identify the ‘event of interest’ users must either analyse a sample of the data and hope that the root cause of a problem is located within the sample, or have to know what they are looking for as they analyse the active traffic flow. However, it is often the case that users do not know what they are looking for until after the traffic has already passed through the network.
DVV Solutions has a range of network forensics tools which go beyond the traditional live stream monitoring. Our primary vendor for recordable network forensics is Solera Networks. Solera’s Network Forensic tools (capable of recording 100 percent of network traffic at speeds up to 10Gbps) allow a user to retain a complete record of network traffic which in turn allows filtering, network analysis and forensics to be performed ‘after the fact’ to uncover the root cause of a problem. The solutions give you a complete record of your network traffic and enables your network analysis and forensics tools to deliver an accurate report, not a guess derived from a mere sampling of data.
These ‘Network Recorders’ are an ideal complement to other security event resolution tools, such as ‘Intrusion Prevention and Detection’ as well as ‘Data Leakage Prevention’. DVV Solutions is able to provide specialist design services to integrate Solera Network Forensics with a range of other solutions, including Sourcefire IDS/IPS and Symantec DLP.
Solera Network Forensic systems are available as both a range of appliances (with a throughput ranging from 1 to 10 Gbps) and as VMware virtual appliance (capable of a 1 Gbps throughput).
Additional information of selected ‘use cases’ is available from the Solera Networks website.
- Security breach investigation
- Stolen identity resolution
- Worm, virus, or malware makes it past the firewall
- Enforcing Internet use policy
- Abnormal network traffic investigation
- Enhancement of IDS/IPS
- Historical application of data Loss reporting