Iris Network Traffic Analyzer

Overview:

Iris Network Traffic Analyzer is designed to combine process and technology into a single effective system for network forensics.

Iris Network Traffic Analyzer empowers your security and operations teams by providing granular data monitoring and precise packet and session reconstruction capabilities. The solution is designed to combine process and technology into a single effective system for network forensics.

Today’s organizations rely on the continuity and security of underlying IT systems at all times. This requirement is further amplified when you take into account the fact that most security or performance issues, whether due to malicious acts, user non-compliance or simple bandwidth misallocation, generally reside above your network in the applications being serviced by your infrastructure.

Iris Network Traffic Analyzer allows professional teams to quickly and easily examine the inner workings of a network. This highly sophisticated system supports the investigation into security and performance issues, decreasing the amount of detective work while enhancing the overall productivity of your security and performance monitoring systems.

Fast Facts:

• Available as software or bundled with the Retina 651 Security Management Appliance
• Provides instant network data capture and the ability to decode traffic in real time
• Records and replays traffic for a complete audit trail of suspicious network activity
• Helps identify performance problems before they result in network downtime
• Compatible with network adapters up to gigabit speeds
• Advanced searching and filtering for quick identification of desired datum

Features and Benefits:

Session Reconstruction
Most packet capture solutions and network sniffers only display raw packets and leave it to the user to decode and determine the potential problems they represent. Iris collects network traffic and reassembles it as its native session based format, enabling users to quickly and easily make business decisions based on the service it was providing. Iris users can present the actual text of an email, as well as any attachments, exactly as it was sent. It provides reconstruction of full HTML pages that an end user visited and reconstruction of cookies for entry into password-protected websites. Iris will even display bi-directional instant messaging communications allowing full session reconstruction as the end user sees it.

Data Capture
The Iris Traffic Capture Engine is designed as a service oriented architecture, permitting security professionals to gather forensic information while performing other tasks in parallel. Iris is designed to capture specific data via filters based on a myriad of traffic metrics. This approach ensures that all targeted traffic is captured, regardless of whether the solution is run interactive or as a service. For capacity and service level agreement planning, Iris allows users to leverage traffic captured in one area of a network for use elsewhere, as well as for the monitoring of applications in development. Additionally, Iris allows for advanced functions such as keyword searching and protocol distribution.

Statistical Analysis
Iris provides a large variety of statistical measurements, supplying information on protocol distribution, top hosts, packet-size distribution and bandwidth usage. By regularly analyzing how systems and applications are being used, administrators can proactively identify and eliminate issues before they can result in downtime. Iris can also provide the proof required to drive the creation and enforcement of policies related to appropriate system and application usage.

• Protocol Distribution Stats: Reports network usage based on MAC, IP and IPX layer protocols.
• Top Host Statistics: Provides analysis of the IP layer traffic statistics collected for each host in real time and is ordered by the most “talkative” hosts.
• Size Distribution Statistics: Displays the number of packets with sizes in six different ranges.
• Bandwidth Usage: Charts the number of packets per second and bytes per second flowing across the network in real time.
• Traffic Reports: Complete traffic data that can be viewed in a browser, saved, printed, or copied into another program.

Data Reconstruction
Iris takes raw data packets and turns it into complete HTTP, SMTP, and POP3 sessions in their original format. The following are some of the protocols Iris reconstructs:

• Outgoing and incoming email messages: the text of the message is readable as well as the subject and recipient.
• Web Browsing Sessions: reconstruction of HTML pages in their original format.
• Instant Message Session: Iris will reconstruct all IM communications from both sides.

System Requirements:

WINDOWS 2000 PROFESSIONAL
WINDOWS 2000 SERVER
WINDOWS XP (32-BIT)
WINDOWS SERVER 2003 (32-BIT)
INTEL PENTIUM IV 2.0GHZ (OR COMPATIBLE)
512 MB OF RAM
40MB (SOFTWARE INSTALL)
20GB (CAPTURE STORAGE)
NETWORK NETWORK INTERFACE CARD (NIC) WITH TCP/IP ENABLED
MICROSOFT INTERNET EXPLORER 5.0 OR HIGHER

Documentation:

Download the eEye Iris Network Traffic Analyzer Datasheet (PDF).