Network Forensics is Affordable for Most Businesses

Regulatory requirements such as Sarbanes Oxley or HIPPA along with cyber crime have heightened the interest in computer security. Organizations have started to purchase monitoring systems that not only support network forensics but help organizations understand what information is moving over their key network connections. These frequently are WAN and Internet connections. Network forensics requires the capture, recording, and analysis of network events. This requires a packet capture tool with analysis capabilities. The Network Analyzer is a perfect backbone for such a system. Most products have strong post capture filtering capabilities and provide network health statistics. System Requirements Today's advanced processors and high capacity storage now makes it possible to store large amounts of packet capture data. Although network bandwidth has increased for many homes and small businesses with broadband access, the majority of businesses still rely on T1 connectivity for Internet or WAN connections. At full utilization a T1 would use approximately 17 gigabytes to record 24 hours of data. But traffic isn't a steady-state phenomenon. It fluctuates a lot and is "bursty." Thus a link can be fully utilized one moment, and then completely empty the next. Also, utilization can be very low during non-business hours. For most companies they can now store better than several weeks of data on a modern system with the addition of a second 300 Gigabyte drive. For significant bandwidth, such as monitoring Gigabit or Trunked Gigabit requires special considerations. A number of factors come into play. Memory is faster than Disk so Raid Storage can be required; also the utilization of specialized NIC's may be needed to capture the data and buffer what is written to disk. The products on the market are designed to recycle the storage of data on a firstin first out basis. That way a history is preserved. Some products can monitor a T1 link for as little as $5,000. There is a great disparity in price, architecture and features. High end pricing for some vendors can approach $100,000. Appliances may be required on the high end, whereas the low end can be fulfilled with a software solution. The following table illustrates the storage in Gigabytes needed to provide hours or days of history on heavily utilized WAN connections. It assumes a continuous level of usage 24/7 not likely found in most business networks. You could easily cut the storage requirement down by 1/3 for businesses that run 8:00 to 5:00. You might also be able to cut it again in half, as it is unlikely most businesses are continuously using all of the bandwidth during those office hours. Therefore a 300 Gigabyte drive for many businesses with a T1 connection could easily provide weeks of storage. Storage Requirements needed for Network Forensics with common WAN Connections www.operativesoft.com. He has over 20 years experience in the computer field, primarily providing software solutions for managing enterprise systems. Operative Software Products operates in the United States and Canada and markets software that builds, tests, diagnoses and operates the IT infrastructure.