SessionVista™ Blog

SessionVista™ Improves Network Situational Awareness

Written by Administrator

Thursday, 29 December 2011 16:56

The Problem:

Today’s networks are diverse, complex, and ubiquitous. Rapid innovation resulting in new applications, devices, and protocols makes it more difficult than ever to understand what is on your network.  As network traffic rates increase to 10 GbE and beyond, it is clear that packet based approaches to situational awareness and network forensics do not scale in a cost effective manner.   Many organizations are finding that flow based data helps reduce the amount of information that is collected.  However, current flow based tools while very useful still only provide mainly L3-L4 information.  What is needed is a new approach that is standards based, scales to 10 GbE networks, is cost effective and produces actionable network information from Layer 2 through Layer 7 which can be retrieved quickly. 

 

The Solution:

The SessionVista™ product line is designed to solve these problems.  The SessionVista™ Exporter is scalable to 20 Gbps.  It performs an information reduction exercise by reporting on 700+ protocols and extracting session level metadata while exporting in a standards based IPFIX format.  This means that the metadata that is produced by the Exporter is 100 times less than the incoming line rate but still contains the important information about the session.  It only extracts the protocols and protocol fields the user wants so the amount of metadata produced can be tuned.  Organizations appreciate this because they have learned that packet storage based devices (PCAP) do not scale to 10 GbE networks in a cost effective way since the SAN storage technology required is cost prohibitive.  On top of that, the information buried in the packets is typically indexed on an IP or transport layer port basis.  This means it is difficult to derive actionable intelligence from these packets in a short amount of time.  SessionVista™ is different in that the metadata produced is indexed into a database.  This allows an analyst to search for criteria from over 4000 protocol attributes.  For example, the analyst may want to determine the list of services a host has run in the past two weeks by looking at which protocols were found within each of the sessions the host had.  This query returns quickly because the protocols and attributes observed within any session are linked by a 64 bit session identifier at the time they are extracted from network traffic.  It is also important to note that once the metadata has been indexed, it is available to a host of SessionVista™ applications to be used for network forensics, traffic profiling, finding misconfigured hosts or those hosts that have been infected by malware.  To further ensure that organizations can develop their own deep packet inspection based applications, the SessionVista™ SDK is available.  It enables the development of deep packet inspection based network intelligence applications very easily by abstracting away technical details such as lossless packet capture, broad protocol decoding, session reconstruction, and flow correlation. SessionVista™ provides a real-time and a historical view of protocol metadata and content that can be used by applications and tied to any business logic.

Last Updated on Friday, 17 February 2012 16:01