The term “next-generation” gets bandied about a lot these days. Arguably coined by Palo Alto, every marketer trying to differentiate their product – and, of course, all do – tags it as next-generation. Sadly for the consumer, most aren't. But every now and again we come upon a real next-generation product. In our cloud security issue [July-August], we found several. And now, in this forensic issue, we have another.
We have been watching NIKSUN for years. The company has consistently produced good products, its thinking is ahead of its time and we made them a member of our Hall of Fame in 2012. That's a pretty strong pedigree. With that said, when a company rep told me about the company's latest product, I was, in spite of their solid history, skeptical. She claimed it was capable of doing everything that the company's current flagship product does and could do it at 100Gbps wire speeds. C'mon, guys, I thought, that's just way too fast for all of the analysis your tools do. But, we are pleased to tell you that we were wrong. And, in fact, we watched it do exactly that. So, for everyone out there working on the next generation of network forensic tools, the fat's in the fire. These guys are setting the bar, and quite high it is, too.
Supreme Eagle NetDetectorLive really is an impressive system. It is configured with parallel processors to make a purpose-built supercomputer that can scale its storage to six petabytes. Functionally, the system can simultaneously capture, analyze and store all network traffic at carrier class line rates and run the data past an IDS, while forensically analyzing captured data and providing notification of detected data breaches and of network anomalies. That is a pretty big mouthful, but the functionality doesn't end there.
At a glance
Product Supreme Eagle NetDetectorLive
Price Depends upon configuration
What it does Performs network forensics at carrier line speeds
What we liked Speed, performance, flexibility and feature rich… we liked it all.
The bottom line This system really sets the bar for next generation network forensic analysis tools.
With a six-server footprint, Supreme Eagle does the same work as a 30-server deployment of current-generation systems. That, by itself, is a huge saving in space, cooling and power. The proof of performance testing was done with a BreakingPoint traffic generator going through two switches using port aggregation to up the overall traffic load. The system performed flawlessly, not dropping a single packet that we could see.
Application layer statistics, events and reconstructed data for network forensics are stored in real-time in the system's database, the NIKSUN Network Knowledge Warehouse (NKW). This allows efficient data mining. With data rates at carrier speeds for a given time interval, far more data will pass through the pipe than at slower speeds. The traditional capabilities of the tool have been translated into the parallel processing scheme and the system, overall, becomes an ideal solution for forensic analysis of Big Data, handling the four Vs – variety, velocity, variability and volume – very nicely. Just as with its smaller sibling, Supreme Eagle is able to reconstruct actions that pass on the wire with a sort of data VCR playback. This allows efficient investigation of large-scale network events, such as DDoS and subtle attacks buried in a large data steam.
Support is pretty much what one would expect from NIKSUN, with included basic assistance and all sorts of paid packages, including an onsite aid option for very large organizations that need that sort of thing. The website has all of the amenities that should be expected of a world-class company and our direct experience with NIKSUN support always has been more than satisfactory.
We were quite impressed with this system but, of course, it's not for everyone. There are several available configurations and it is priced based on how it is configured. That said, if you have a large mission-critical data stream, you cannot afford not to give this one a close look. When we asked if the system was deployed in the field to real customers analyzing real data, the answer was ‘yes,' and the number of customers, given the short time this has been on the street, was impressive.
Deployment, while not trivial, is quite straightforward especially in data centers where administrators are used to complex system configurations. Even here, however, NIKSUN support staff stands ready to help if necessary. If you decide to deploy Supreme Eagle, we suggest that you be clear about your objectives and where you want to collect your data before you start configuration specs.
We predict that every large ISP will want to have one of these, especially given the current threatscape with which they are forced to deal. Recovering from a large-scale network-based attack is not trivial at the best of times, but when the line speeds and amount of data start to climb only the best tools will do. Supreme Eagle NetDetectorLive is one of those tools.