NI-LAN System

The NI-LAN system is a high performance and logic intensive network monitoring system that has been hardened over the years.

The NI-LAN software is highly customizable to meet specific monitoring applications. Within your environment the emphasis may be on providing the information required for detailed network forensic analysis and for Information Assurance purposes as an extension to the intrusion detection services provided within your group. The emphasis may be on turning over complete session content files for review by law enforcement authorities.

The NI-LAN System is designed to provide an integrated approach toward securing, planning for and managing internetworking communication routers and gateways.

Key features:

• 10/100 mbps connection to an Ethernet segment.
• real-time monitoring on up to 1000 concurrent sessions.
• complete data capture of all packets on all sessions.
• five classes of cumulative session file filtering.
• real-time session security auditing.
• real-time security alerting and reporting.
• real-time identification of server access.
• real-time display of remote and local IP address.
• NIC address associated to all local IP addresses.
• real-time display of active sessions.
• replay display of active sessions.
• replay display of completed session.
• background session security auditing and searching.
• account reporting by IP address.
• automatic IP address naming.
• audit reporting by IP address.
• capacity planning measurement and reporting.
• Ethernet Protocol Type accounting and reporting.
• IP Port accounting and reporting.
• Historical trend information on Port and Protocol Usage
• Removable disk drive.
• Surrogate System processing.
• Archival/Retrieval.

NI-LAN applications within your environment include:

• Monitor all network activity to develop a dynamic profile of the use of network resources. The monitoring and reporting of network activity based on actual packet content auditing provides a quite different view of activity from what may be culled from server logs, firewall logs, profiling software or from intrusion detection systems. Unexpected and suspicious patterns of activity are often revealed through packet content auditing that otherwise would go undetected.

• Monitor for network forensics and investigative purposes to establish a complete and permanent record of all activity on all addresses, an address range, or specific addresses. Once an investigation is initiated, it is essential to preserve as much evidence as possible. Monitoring and the preservation of evidence is an essential part of any specific investigative process and a requirement for network forensics.

• Monitor outside the firewall to evaluate activity on known or unknown "holes" as defined within firewall control lists.  Alternatively, specify the firewall address to the :BYPASS: function to discard all packets to or from the address of the firewall. Use of the :BYPASS: function in this manner outside the firewall would then highlight capricious or intrusive activity.

• Use the :TRACK: function to monitor any Dial-In Point-to-Point Protocol usage. The tracking screen would then detail time of last activity, byte counts and peak concurrency associated with PPP usage.  The tracking screen would highlight if any users are unnecessarily maintaining connection but doing nothing and thereby distorting capacity requirements.  Tracking PPP sessions frequently reveals unusual and unauthorized usage.

• Monitor local servers that are externally accessed using the NI-LAN :TRACK: function list to select specific IP addresses or an address range and monitor these servers with the Open switch set to open one session content file for each remote address.

To learn more about NI-LAN click on the NI-LAN System Overview (White Paper) [HTML version] [PDF version]