EndaceProbe: High-speed packet recording for security monitoring

Share this article:
EndaceProbe: High-speed packet recording for security monitoring
EndaceProbe: High-speed packet recording for security monitoring

On high-speed networks a major issue is packet capture/recording without packet loss. Because these networks tend to be complex, monitoring across the infrastructure without packet loss can be challenging. The EndaceProbe from Emulex is a good solution to that challenge. 

Endace is a 15-year-old, New Zealand-based company, acquired by Costa Mesa, Calif.-based Emulex this year, that has become a household name for high-speed data capture. The company focuses on fundamental concepts and prides itself on building on the basics of network performance measurement.

The EndaceProbe sits as part of the core network infrastructure. The product is a purpose-built enterprise-grade tool. It does not replace SIEMs or IDS; rather, it provides a recording function that ensures that packets are not dropped due to high data rates. In order to ensure compatibility with other data capture tools, Emulex has developed the Endace Fusion Ecosystem. This, today, provides direct compatibility with tools from such companies as Arista, Lancope and WireShark.

AT A GLANCE 

Product: EndaceProbe 

Company: Emulex 

Price: $150,000 for a typical EndaceProbe. 

What it does: Intelligent network recorder for security monitoring.

What we liked: Essentially lossless data recording at network speeds. 

What we didn't like: With other, related tools, this can become a bit pricey, but this is a best bet if one needs high-speed data recording in support of security monitoring.

Architecturally, the EndaceProbe works with DAG (data acquisition and generation) modules, as well as third-party products in the Endace Fusion Ecosystem. Data collected by the DAG modules are fed to the packet inspector in the EndaceProbe, where packets go to the data store with Netflow metadata going to a special database. The data store feeds third-party products from its rotation file allowing high speeds to be analyzed.

Data streams on networks up to 100Gbps are supported and the appliance has significant on-board storage. The RAID (redundant array of independent disks) on the device we evaluated had more than 8TB of storage. The built-in Vision Web Server provides visibility of the process, its results and the traffic on the monitored network. That is an important aspect of the tool. While it may appear that the purpose of the solution is simply to prepare data for analysis by other tools, in fact, EndaceProbe has some robust analysis capability itself.

There is a lot to like about this product. While the price is not trivial, neither is what it does in a large network. We liked its scalability, high fidelity, high bandwidth capture and processing, and the intelligent analysis tools that are part of the product. The range of architectures that can surround EndaceProbe also is impressive – ranging from additional complementary products from Emulex to third-party tools for additional analysis. Some of these could not work well in a high-speed environment without the support of EndaceProbe.

The solution comes with 12 months of hardware support included, and after that there are three levels of support – gold, silver and bronze – based on customer needs. 

Overall, we recommend this for appropriate environments where high speeds are the rule, as well as environments that are large and complicated with stringent security needs.

Share this article:

Sign up to our newsletters

More in First Looks

Covering all the SAP bases

Covering all the SAP bases

X1 is an agentless SAP auditing tool that is able to map out entire SAP landscapes and display any insecure configurations on the individual elements of the landscape.

Digital forensic incident response in a box

Digital forensic incident response in a box

CIRT from AccessData Group is a full lifecycle forensic tool - from detecting to analyzing to remediating - and it's all in a single package.

iScan, uScan, we allScan... and its cheap and easy to do

iScan, uScan, we allScan... and its cheap ...

iScan uses a really neat approach to vulnerability and PAN (looking for credit card, etc.) scanning.