Niksun's tools track network traffic . . . and hackers
NORTH BRUNSWICK, N.J. -- At Comdex Fall 2000 in Las Vegas last week, the show's LAN for 2,500 exhibitors will be monitored for service quality -- and possible hacker intrusion via the 'Net -- by a little-known start-up named Niksun.
The company is providing its network analysis tools to spot any trouble.
One tool, called NetVCR, can monitor quality of service in networks and Web servers, capturing network traffic to understand protocol utilization, source and destination. A second tool, NetDetector, is used for security forensics to analyze recorded traffic data, and it can issue an alarm about possible network hacking to a system administrator.
According to universities and corporations using them, the Niksun tools compare well with Network Associates' Sniffer and other products that have been on the market much longer -- and Niksun's offerings can help trace hackers.
Niksun's NetVCR and NetDetector are based on the same underlying technology, which was developed by CEO Parag Paruthi, formerly a research scientist at Bellcore.
Paruthi left Bellcore nearly three years ago to develop products to monitor broadband networks and provide help in tracking criminals on the Internet. Niksun, with nearly 100 employees, has about $30 million in venture capital funding.
Some organizations claim they have caught network hackers using the Niksun tools, which cost between $15,000 and $60,000.
The Royal Institute of Technology is connected in Stockholm, Sweden with Stanford University in California via a dedicated T-1 line provided by Swedish provider Telia.
Using NetVCR, a telecommunications professor at the Royal Institute of Technology says he detected and traced intruders that broke into the shared campus network, which extends into three other Swedish universities and Estonia.
"The most prominent intrusion in our network was made by a cracker who broke into one of the Web server hosts in the network and used it to set up a smurf attack targeting a site in Germany," says Bjorn Pehrson, a telecom professor who oversees the university's IT infrastructure.
A smurf attack is a type of denial-of-service intrusion intended to disable the target's servers. "Thanks to the data we were gathering with the Niksun NetVCR tool, we could reconstruct the break-in in detail and inform the ISPs that the cracker had used about these details."
Back in the U.S., service provider SBC Communications uses the NetVCR tool to monitor patterns of Internet activity across all the SBC regions, says Mike Russina, director of IP networks and system infrastructure at SBC's Internet division. The purpose is to understand network usage patterns, particularly with DSL, and monitor line availability. "Napster, for instance, has been out for about six months, and we want to know what impact it's having on our network," he says. He emphasizes that SBC is not storing or inspecting traffic content but is capturing just the 20 bytes of the packet header.
"I only need the source and destination and the type of traffic," Russina says, adding that a competing product, Network Associates' Sniffer, stores the entire packet content, thus filling up data storage very quickly. NetVCR, which comes with its own database, "can hold an unbelievable amount of data," Russina says, but the data is more ecoonomically held and easily analyzed.
According to Niksun's Paruthi, the Unix-based NetVCR is a protocol decoder that stores data it collects on disk or tape so it can look through terabytes of information.
"You can analyze the data in a variety of ways from link layer to application layer, break it apart and analyze the quality of service," Paruthi says.
The newer tool in Paruthi's bag of tricks, NetDetector, essentially adds a security alarm to the monitoring, putting the product in competition with intrusion-detection tools such as NFR Security's Network Flight recorder. "Theirs runs at 30 to 60 megabits per second, but this one runs at gigabit rates and can hold terabytes of information," he says.
Some network break-ins are so artfully done that hackers proceed carefully over a period of weeks to slowly carry out port scans or take over computers. "With NetDetector, you can replay and find out exactly how the hacker did that attack," he notes.
Paruthi admits NetDirector's intrusion-detection features are still fairly simple, so it would only set off an alarm for six types of attacks related to denial-of-service and other malicious activities.
"But it will show patterns very indiciative of malice, and this will be of help in forensic analysis or warning about specific behavior," he says.
Niksun is a member of the DDOS Consortium started by Yahoo, eBay, Schwab and others hit in February's mammoth distributed denial-of-service attacks, and eBay is expected to test the Niksun tools shortly.