Network behavior-analysis

chaitu_kranthi · ‎08-12-2008

Hi, In our organization management want to implement the Network Behavior-analysis.And they are requesting us to send the some documents on this.

can any one help me on this.

iam at zero level regarding this technology. iam not even know that, is this technology is a tool or something else. please send some document on this.

Farrukh Haroon · ‎08-12-2008

Are you looking for a Network Behavior Anomaly Detection (NBAD) device? Please try to be specific with your query.

http://www.networkcomputing.com/showArticle.jhtml?articleID=163700677

Regards

Farrukh

mohsin.khan · ‎08-13-2008

MARS is one big solution for Network Behaviour Analysis. Have a look at the doc attached..

Today, main goal of the administrators is to have a tool, which coule do the analysis on their part, and could give a BOTTOM line of the incident/anomaly. Consider a network admin taking care of mutliples of routers/firewalls/IPS etc, and has to go through each log from each device seperately for any issue, and even to predict any issue, is some thing impossible for a human being.

So Network Behaviour Analysis tools (MARS is a tool, which makes use of existing techonolgies/methods like SNMP/FTP/TELNET to retrieve events from the devices (Routers/Switches/FWs/IPS and list goes till Workstation XP/2000 e.g), and CORRELATES (compiles the event's and find the similar ones and make them 1 SESSION)them, to present a single line statement to the administrator that something has happened in the network.

Second part of the NBA tool like MARS is to detect any anomaly, meaning, if nothing bad has happened yet in the network, there is something that is going to be done bad. For instance, if a port in the network switch starts using 90% of its traffic volume limit, and stays in that condition for some time, this could be a syptom of a virus starting to get spread in the network, or some sort of broadcast strom that could be triggered from this port. Hence the MARS detects the analomy, and provides precautionary steps to avoid some thing like this to happen in the network.

So, NBA is the superset of "Network events" and "Network behaviour anomaly".

HTH..

Farrukh Haroon · ‎08-13-2008

I really don't agree with your statement here:

"MARS is one big solution for Network Behaviour Analysis" Perhaps a more fair comment would be "MARS is great at SIM/SEM/STM and does provide 'some' Network based Behavior analysis features".

Does it support Cflow,Sflow, what about the reports? And some of the other fancy stuff offered by the products mentioned in the network world link?

Regards

Farrukh

mohsin.khan · ‎08-13-2008

Well, it all depends on the requirement. If it gets fulfilled by Netflow, why would some one bother to go for Sflow or Cflow?

And if its about being futuristic, then yes, but again, some fancy stuff like, "Flexible netflow" and "IPFIX" is not even mentioned in the network world link? so does it mean that those products are just "great" not "big" solution? May be its just a word game, but as i said, NBA is not just anamoly detection, but it is the superset of event generation/correlation and anaomaly detection.

regards,

Mohsin

Farrukh Haroon · ‎08-13-2008

Thank you for your valuable comments, I assume by 'futuristic' you mean 'scalable'?

Because CFlow or SFlow or not things of the future, they run on hunrdreds of networks :)

A good consultant always proposes a scalable solution (subject to cost/other constraints) :). I myself proposed someone the MARS solution (on this same forum) but after looking at it closely in terms of Traffic analysis......

Take Care

Farrukh

mohsin.khan · ‎08-13-2008

I agree..

I hope this is what you wanted to hear from me :) ???

Lets close this discussion. :)

regards,

Mohsin

Farrukh Haroon · ‎08-13-2008

By the way, I just got an email from Solarwinds that they are offering a free Netflow Analyzer supporting Netflow/Cflow/Jflow.

http://www.solarwinds.com/

Regards

Farrukh

P.S. I have no affiliation with Solarwinds :)