EndaceProbe: High-speed packet recording for security monitoring

Share this article:
EndaceProbe: High-speed packet recording for security monitoring
EndaceProbe: High-speed packet recording for security monitoring

On high-speed networks a major issue is packet capture/recording without packet loss. Because these networks tend to be complex, monitoring across the infrastructure without packet loss can be challenging. The EndaceProbe from Emulex is a good solution to that challenge. 

Endace is a 15-year-old, New Zealand-based company, acquired by Costa Mesa, Calif.-based Emulex this year, that has become a household name for high-speed data capture. The company focuses on fundamental concepts and prides itself on building on the basics of network performance measurement.

The EndaceProbe sits as part of the core network infrastructure. The product is a purpose-built enterprise-grade tool. It does not replace SIEMs or IDS; rather, it provides a recording function that ensures that packets are not dropped due to high data rates. In order to ensure compatibility with other data capture tools, Emulex has developed the Endace Fusion Ecosystem. This, today, provides direct compatibility with tools from such companies as Arista, Lancope and WireShark.

AT A GLANCE 

Product: EndaceProbe 

Company: Emulex 

Price: $150,000 for a typical EndaceProbe. 

What it does: Intelligent network recorder for security monitoring.

What we liked: Essentially lossless data recording at network speeds. 

What we didn't like: With other, related tools, this can become a bit pricey, but this is a best bet if one needs high-speed data recording in support of security monitoring.

Architecturally, the EndaceProbe works with DAG (data acquisition and generation) modules, as well as third-party products in the Endace Fusion Ecosystem. Data collected by the DAG modules are fed to the packet inspector in the EndaceProbe, where packets go to the data store with Netflow metadata going to a special database. The data store feeds third-party products from its rotation file allowing high speeds to be analyzed.

Data streams on networks up to 100Gbps are supported and the appliance has significant on-board storage. The RAID (redundant array of independent disks) on the device we evaluated had more than 8TB of storage. The built-in Vision Web Server provides visibility of the process, its results and the traffic on the monitored network. That is an important aspect of the tool. While it may appear that the purpose of the solution is simply to prepare data for analysis by other tools, in fact, EndaceProbe has some robust analysis capability itself.

There is a lot to like about this product. While the price is not trivial, neither is what it does in a large network. We liked its scalability, high fidelity, high bandwidth capture and processing, and the intelligent analysis tools that are part of the product. The range of architectures that can surround EndaceProbe also is impressive – ranging from additional complementary products from Emulex to third-party tools for additional analysis. Some of these could not work well in a high-speed environment without the support of EndaceProbe.

The solution comes with 12 months of hardware support included, and after that there are three levels of support – gold, silver and bronze – based on customer needs. 

Overall, we recommend this for appropriate environments where high speeds are the rule, as well as environments that are large and complicated with stringent security needs.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in First Looks

Soft intelligence is important too: Silobreaker

Soft intelligence is important too: Silobreaker

Silobreaker is a must-have collection and analysis tool for organizations that might benefit from open source intelligence (OSINT).

Bits and bytes in intelligence: Umbrella from OpenDNS

Bits and bytes in intelligence: Umbrella from OpenDNS

Umbrella from OpenDNS, a cloud-based network security service, is easy to use and an excellent intelligence resource.

AhnLab's MDS: A comprehensive approach to malware management

AhnLab's MDS: A comprehensive approach to malware management

AhnLab refers to its product - MDS - as a malware defense system. I, however, think of it more as a malware management system.