On the lookout for trouble

Sometimes it is the danger within — behind your agency's firewalls — that is the greatest threat. Indeed, dealing with unauthorized intrusions from inside an organization has become the last frontier of systems security.

What administrators need is a system sleuth that can give them a clear picture of their networks, showing who is talking to whom and flagging any unusual network traffic. That's just what SilentRunner does.

The software, from SilentRunner Inc., creates a picture by monitoring raw network packets, which it organizes into a database that can be used to correlate, analyze and visualize network traffic. The software makes it possible to identify areas of potential misuse and recognize and respond to security events quickly.

Help Wanted

SilentRunner requires some training, and I turned to the vendor's representative for help. Be prepared to do the same if you invest in the product.

The rep first showed me how to use the Collector to gather packet information from the network. At first I was in familiar territory because I already use protocol analyzers to monitor my networks. Network troubleshooters commonly use such tools to examine the internal structure of packets and even read the unencrypted contents to determine what kind of information is being transmitted.

Tools in SilentRunner showed me the meanings of headers and other packet components, and charts highlighted the protocols used in the network. More impressively, the Visualizer tool created a map of my network's routers, servers and workstations.

Occasionally I would stumble when using SilentRunner and would have to ask for help. Some procedures are not intuitive. For example, the Session Recorder window must remain open when collecting data. And when you open the Collector, you need to click "File" and "New" twice to ensure that the buffers are cleared. Online help is sparse, and at several points, I would have liked to have seen some context-sensitive help.

Before leaving the Collector, I was dazzled by a feature called the Knowledge Browser. It uses a hierarchical tree design to provide a readable and colorful graphic representation of relationships among the network nodes at the address level.

In addition to giving the fine details of your network's logical layout, the Knowledge Browser provides statistics showing the amount of traffic being handled at each level. Knowing information such as the amount of traffic being handled by each protocol, for example, gives you a starting point for analyzing the behavior of the network and its users.

The features for analyzing data to spot unauthorized intrusions are far too numerous to list. In testing the software, I quickly found a tool that identifies files and e-mail messages containing a specified phrase; others analyze Web data.

And although my desktop computer produced an impressive 2-D visualization of complex traffic on a large network, SilentRunner is designed to enable an operator to fly through 3-D models of virtual reality. Network nodes appear as stars, while lightning bolts of packets flash about. Data such as logs from firewalls and intrusion-detection systems can be added in separate planes, creating a multidimensional virtual representation in which unexpected relationships can stand out.

Wish List

Unfortunately, I regretted having installed SilentRunner on a desktop computer rather than a laptop, because of the limitations it placed on me.

Each device on a network has a Media Access Control address, which is burned into a communications chip in each computer. A device can change its IP address but normally cannot change its MAC address without installing new hardware. MAC addresses are the fingerprints of the network and are essential evidence for analysis. But they generally do not cross routers between network segments, so it is desirable to have data collectors on different subnets of the network. A laptop is a handy way to take SilentRunner across routers.

Also, SilentRunner will not discover devices behind firewalls or on networks that use packet filtering based on strict access control or switched hubs. These issues must be considered when purchasing components and planning how to use SilentRunner.

Finally, SilentRunner should not be considered a tool for spying on employees. There are much cheaper products available for doing this, if that is your goal. Rather, SilentRunner is a network discovery and analysis tool whose purpose is to safeguard an organization's information assets. Obviously, it can be used to circumvent employees' privacy, but then so can the protocol analyzers that administrators use every day.

In my opinion, SilentRunner would benefit from some additional features. For example, I could right click and generate a printed report at any time, but I would have liked many more options for formal reports to document my networks and traffic patterns at specific times.

In practice, SilentRunner represents only half of a security tool. The other half is a well-trained operator. The company offers a one-week basic class in using the tools, followed by an advanced class nearly as long that covers how to interpret the results to quickly detect security problems. The cost is $2,500 per class, and the training is strongly recommended, because the software is useless without an experienced operator.

Greer is a senior network analyst at a large Texas state agency.

***

Components of SilentRunner

* The Collector gathers data about a network, its structure, its traffic and its users. A packet-processing engine in SilentRunner decodes the raw packets and organizes them in a Knowledge Base.

* The Knowledge Base simplifies conversion of collection products (generated by the Collector) and other data into files suitable for use by SilentRunner's analytical programs.

* The Context engine shows relationships between like types of information, clustering files based on their similarity.

* The Analyzer visualizes, arranges, manipulates and reports information about a network and its traffic.

* The Visualizer provides 3-D visualization capability for viewing very large network diagrams in detail. Users also can display data from several sources (SilentRunner-collected data, firewall logs, intrusion-detection system logs) simultaneously in separate planes in the Visualizer to correlate events across platforms.