Product Information

Network Intelligence HA 2000

Vendor:

Network Intelligence

 

Price:

$39,650

Quick Read

Strengths:

Prodigious throughput and good scalability and high-availability.

Weaknesses:

Remote management needs some work.

Verdict:

This is a strong solution for collecting and managing vast amounts of network information from multiple vendors' products.

Rating Breakdown

SC Lab Reviews

Reviews from our expert team

Features:
Documentation:
Value for Money:
Performance:
Support:
Ease of Use:
4/5

Summary

As any security administrator knows, the only thing as bad as not enough information is too much. Staying on top of the overwhelming flood of information from every device is a difficult job. Information comes in as events, alerts, notifications of changes or just status updates. Making sense of it all requires efficient correlation tools, like the Network Intelligence logging appliances.
Network Intelligence sent us the HA 2000, the smallest version of its enterprise-class product suite, fitting in between the EX series targeting SMEs, and the LS series for large environments. The system runs Windows 2000 Server in a 2U rack-mount chassis. The HA 2000 is licensed to handle a maximum of 2,000 events per second (EPS), from a maximum of 64 information sources. There are several larger versions available (chiefly a matter of licensing, although at 4,000 EPS the devices start shipping with more on-board disk and memory), up to 6,000 EPS, for monitoring up to 1,024 network devices. And they can be clustered, up to three units together for triple the throughput.

Network Intelligence has gone out of its way to help users get up-front planning done before starting to configure the appliance, with checklists and forms which indicate what information will be required. A useful application is provided to calculate the expected load (in EPS) on the device - you can specify how many of each supported device are to be managed, and an estimate of standard load is calculated. This tool is available on the company web site.

In those planning aids I was surprised to see a form with spaces for the admin to fill in each user's name and password, running at a sharp tangent to accepted best practice. Shred that one before you suffer temptation, is my advice.

The appliance also offers strong fault-tolerance - the storage is RAID 5 and there are redundant fans and power supplies. In its current form there is no facility for fail-over between devices, but the company has promised that this feature will be added "in the near future."

The heart of the product is the enVision security monitoring suite, currently in version 1100, which handles the monitoring functions. My chief criticism of the system lies in its management interface rather than its functionality, which is impressive.

Remote management is accomplished via a set of Java applets. So far so good, but several components of the interface malfunctioned during testing. The problem turned out to be that the desktop from which I was managing the system was using a version of Sun's Java Virtual Machine (JVM) which was too recent (1.4) and was causing problems. Uninstall it, said the engineers, and install version 1.3, which can be downloaded from the appliance itself. I was disappointed with this. Requiring that admins use an old version of Java is unfortunate but unavoidable, the engineers told me, due to a bug in Sun's JVM 1.4. But what if the next device you buy requires 1.4?

Attempts to connect to the web-based login screen from anything other than Internet Explorer also failed, even on Windows with the correct JVM installed. Fortunately the box also accepts Windows Terminal Services connections, and you can then use the browser installed on the server directly. This will incur a performance hit, especially if you have several users needing access to the management interface at the same time, but avoids Java version problems. There is also the advantage of managing the box from something other than a Windows workstation - PocketPC handhelds have useable Terminal Services clients, and I easily managed it from a Linux client using rdesktop.

A final quirk is that only one administrator can be logged in at the same time. Subsequent admin connections will actually be logged in as end users, able to view data but not perform management duties, and the system does not go out of its way to tell you about this. Some more information, perhaps including where the current admin session is logged in from, would be very handy.

Once actually connected to the interface, management is straightforward, and the interface is responsive and well laid out.

The first task that must be completed is configuring the appliance's interfaces, most of which can be done either on the console, through the browser or even on the little LCD display mounted on the front of the appliance, which makes it ideal for easy deployment into rack environments.

As this appliance gathers log data from remote sources, some assembly is required. Devices must be instructed to log to the HA device, which must be set up to receive them. The documentation is very good at explaining what is required, but a bit light on troubleshooting.

There is support for a good variety of third-party products, including a lot of Cisco devices as well as the usual suspects: firewalls, operating systems, switches and routers. No Symantec or CyberGuard though, nor Microsoft ISA, so the list could do with some fleshing out. In addition to the print documentation, the online help is excellent - thorough and lucid.

All events are gathered into a single source, and the view of real-time alerts can be filtered and sorted to your heart's content. Predefined views can be set up, and applied to archived events as well as real-time alerts. This is where the brute-force of the system's engine is needed - applying filters to thousands of events every second is an intensive job.

Another strong point is the system's correlation ability. Rules for identifying related events can be configured ("if event A happens, then event B happens inside 30 seconds and event C did not occur yet, then raise an SNMP alert") with great ease by setting aggregation rules and assigning them to views. The flexibility is impressive, and there are a number of predefined rules to get you started.

The reporting interface is also good. User accounts can be configured with access to specific sets of alert data, allowing role-based views of relevant data sets.

Once set up, the product does exactly what it says on the can. It collects alerts quickly and efficiently, gathering them into a database, which can then be used for the purposes of trend analysis, event correlation and reporting.

All of this it does well, scaling to any size network. The limitations of the front-end are unfortunate but left to its own devices in a rack, you should have few problems.