eEye Iris Network Traffic Analyzer Overview:

Continuous vulnerability forensics plus network performance analysis

Iris Network Traffic Analyzer empowers your security and operations teams by providing granular data monitoring and precise packet and session reconstruction capabilities. The solution is designed to combine process and technology into a single effective system for network forensics.

Today's organizations rely on the continuity and security of underlying IT systems at all times. This requirement is further amplified when you take into account the fact that most security or performance issues, whether due to malicious acts, user non-compliance or simple bandwidth mis allocation, generally reside above your network in the applications being serviced by your infrastructure.

eEye Digital Security's solution to the problem is the Iris Network Traffic Analyzer. Iris allows professional teams to quickly and easily examine the inner workings of a network. This highly sophisticated system supports the investigation into security and performance issues, decreasing the amount of detective work while enhancing the overall productivity of your security and performance monitoring systems.

Session Reconstruction:

Most packet capture solutions and network sniffers only display raw packets and leave it to the user to decode and determine the potential problems they represent. Iris collects network traffic and reassembles it as its native session based format, enabling users to quickly and easily make business decisions based on the service it was providing. Iris users can reconstruct the actual text of an email, as well as any attachments, exactly as it was sent. It provides reconstruction of full HTML pages that an end users visited and reassemble cookies for entry into password-protected websites. Iris will even display bi-directional instant messaging communications allowing full session reconstruction as the end user sees it.

Data Capture:

The Iris Traffic Capture Engine is designed as a service oriented architecture, permitting security professionals to gather forensic information while performing other tasks in parallel. Iris is designed to capture specific data via filters based on a myriad of traffic metrics. This approach ensures that all targeted traffic is captured, regardless of whether the solution is run interactive or as a service. For capacity and service level agreement planning, Iris allows users to leverage traffic captured in one area of a network for use elsewhere, as well as for the monitoring of applications in development. Additionally, Iris allows for advanced functions such as keyword searching and protocol distribution.

Statistical Analysis:

Iris provides a large variety of statistical measurements, supplying information on protocol distribution, top hosts, packet-size distribution and bandwidth usage. By regularly analyzing how systems and applications are being used, administrators can proactively identify and eliminate issues before they can result in downtime. Iris can also provide the proof required to drive the creation and enforcement of policies related to appropriate system and application usage.

Features and Benefits:

Features:

Continuous Traffic Capture - The Iris Traffic Capture EngineTM (TCE) runs in the background gathering forensic information, ensuring all targeted traffic is captured, regardless of system or user session.

Complete Packet Reconstruction - Reconstruct files and web-browsing sessions back into their original format on the local network, capturing a clear and concise image of the integrity of the network and associated traffic.

Packet Sniffing and Spoofing - Spoof packets, test firewall configurations, test system load-bearing capabilities, and capture evidence of network intrusions - collecting complete logs of your tests and all real-time malicious activity.

Email and Instant Messenger Monitoring - Monitor non-encrypted web-based email and instant message traffic, complementing your normal email & messaging control, audit, and monitoring procedures.

Additional Features and Benefits:

Statistics and Reports
Iris provides DNS names and comprehensive statistical measurements for granular monitoring of session traffic. The metrics can be viewed in an assortment of graphical formats (e.g. pie charts, bar graphs, etc.) and include:

• Protocol Distribution Stats: Reports network usage based on MAC, IP and IPX layer protocols.
• Top Host Statistics: Provides and analysis of the IP Layer traffic statistics collected for each host in real time and is ordered by the most "talkative" hosts.
• Size Distribution Statistics: Displays the number of packets with sizes in six different ranges.
• Bandwidth Usage: Charts the number of packets per second and bytes per second flowing across the network in real time.
• Traffic Reports: Complete traffic data that can be viewed in a browser, saved, printed, or copied into another program.

Data Reconstruction
Iris takes raw data in packets and turns it into complete HTTP, SMTP and POP3 sessions in their original format. The following are some of the protocols Iris reconstructs:

• Outgoing and incoming email messages: The text of the message is readable as well as the subject and recipient. Iris will launch as email client to open the message, as well as any attachments, exactly as they were sent.
• Web browsing sessions: Reconstruction of HTML pages in their original format.
• Instant messenger exchanges: Iris will reconstruct all IM communications from both sides of the conversation.
• Non-encrypted web-based email

Enterprise Vulnerability Management:

Designed for a range of small business, medium business (SMB), to large enterprises, Retina Network Security Scanner is available as both a network security software solution plus a vulnerability management appliance solution.

• Centralized Vulnerability Management - Integrated vulnerability assessment, policy enforcement, policy auditing; improving enterprise network security.
• Centralized Incident Management - Prioritized vulnerability management plus client security threats and attacks; reducing security risk plus network security response.
• Enterprise Security Reporting - With integrated vulnerability, attack and policy information provided by Retina and Blink, REM provides organizations with metrics and graphical representations of their enterprise security posture.
• Executive Dashboard - Customizable reports and charts; integrated asset management, client security, risk assessment, plus vulnerability assessment.

Specifications:

Iris can handle as much traffic as your network generates, capturing logs and decoding traffic in real time. Iris requires the following minimum system requirements:

• Windows 2000 Professional
• Windows 2000 Server
• Windows XP (32-bit)
• Windows Server 2003 (32-bit)
• Intel Pentium IV 2.0Ghz (or compatible)
• 512 MB of RAM
• At least 40MB (software install) 20GB (capture storage) of free disc space
• Network Interface Card (NIC) with TCP/IP enabled
• Microsoft Internet Explorer 5.0 or higher

Iris Screenshots:

	Decoding and Reconstructing Data Iris lets you reconstruct data and display all content that was captured. In decode mode, captured data is reassembled in a way that allows you to view each session as if you were the actual session owner. Many common protocols can be reconstructed in this manner.
	Monitoring Network Activity Iris provides a graphical user interface (GUI) to allow network administrators to capture and retrace the steps of any network user. By monitoring both incoming and outgoing network traffic, Iris functions as a complete systems management watchdog.
	Session Reassembly Iris reassembles HTTP sessions through the Iris decoder, which allows it to be displayed as a fully rendered web page. Iris not only shows you the packet that created the session, but a realistic view of the actual contents of data sent within that session.
	Detecting Connection Attempts Iris' Guard feature watches for a specific connection sequence when a TCP session begins and reports it if it meets the connection criteria set in the Iris filters. This allows you to watch specific connections to and from any machine, and be alerted if Iris sees a connection from an IP or TCP port that Iris has been configured to monitor.

Documentation:

Download the eEye Iris Network Traffic Analyzer Software Datasheet (PDF).