Network Flight Recorder releases new network monitoring software
Provides powerful TCP filtering for network managers
Marcus Ranum, president and CEO of Network Flight Recorder, explains how the company's recently released product, NFR 1.5, designed to make networks secure from intrusion and help network managers find out who's trying hack into their system, works: "The way [NFR] works is you basically have an interface that listens in promiscuous mode so that you pull all the traffic that goes on the network. We then have a TCP reassembly engine which sequences and reassembles all the TCPs that go by."
In the next layer, "We then apply a filtering specification so that you can watch for all TCPs going between here and here on this type of port or this type of protocol. So there's this very powerful filtering language that's then applied to the TCP streams. You can also set filters on events that might occur," says Ranum.
There are two different ways to install NFR. "We make the complete source code for our product freely available off the Web," Ranum says. A network manager has two choices: "If they're not afraid to touch a compiler, and they know what they're doing, they could just pull our code off the 'Net and install it. If they're afraid to touch a compiler, they could buy a PC with it already installed."
Use of NFR requires little effort. "Basically it just sits there and keeps recording things and anytime [network managers] want to pull the data off they've recorded, they just go to it and query the data right off it," says Ranum. He adds, "If there's a specific thing they wanted to record that wasn't part of the basic package that we include, then they could write their own request order in our programming language and be able to record that data as well."
Into the core
The programming language used to create NFR is one part of this product that being questioned by Brian Sefton, CEO of Fastlane Software Systems. Fastlane produces Xni, a network analysis tool similar to NFR. Sefton says the product is written in N, which is a language used for creating video games. "Our product is written in C," says Sefton, "For that reason it's much more portable across platforms. Our Java front end and our HTML is portable already across all platforms."
Ranum explains that he wrote U, which is an interpreter for a game that he wrote. "In the process of developing U, I wrote this extremely fast, very flexible interpreter. So when we decided we were going to write NFR, we needed a really fast, flexible interpreter. So I dusted off the U interpreter, and we used the core of the U interpreter to implement the NFR N code language."
Ranum says designing a language for this type of product is a really difficult thing to do. "You've got to get the abstractions right. We put a great deal of effort into thinking of a set of abstractions for the language for doing traffic analysis. That was hard."
Ranum and his co-workers started with a completely procedural language and realized the language had to be event driven. "In order to make the performance quick enough we had to make it so that the lower level engines that sequence TCP would call a procedure when the sequencing found something, rather than the procedural approach that would look at everything and decide if there was a match."
"The main thing that we've done that's unique is that we've made our engine extremely flexible," says Ranum. He explains the difference between Xni and NFR using a house analogy: "Fastlane has given you the house with all the windows, carpeting, and doors completely in place. NFR gives customers wood, bricks, and mortar, and says go to town. It's a different mindset. If you don't like the pink tiles in Fastlane's product, you're stuck. You can do whatever you want with ours."
Where they fit in the market
"These products are very new," says Paul Merenbloom, a computer software analyst for Prudential Securities. "These products are not SNMP (Simple Network Management Protocol) tools. These tools would be complementary to, or potentially plug into, HP OpenView or SunNet Manager. The purpose of these products is to provide additional information."
"The problem today is that in many instances organizations realize that they are not getting the necessary throughput. Ergo, the introduction of tools like these provide network managers a better way to get information. One can put together a complete view of the network," says Merenbloom.
"NFR is delivering today something that's kind of off the shelf and ready to go. You also have this powerful engine sitting underneath that you can use for a lot of other things," he says. He urges the private industry to get a hold of NFR because of its potential for demographic research.
"NFR's engine technology can be applied, not just to the security aspect of what we've looked at, but perhaps even better is that the application be brought in-house as a management monitoring tool to find out where are these people are coming from and what are doing there," says Merenbloom. "Somebody came to your site, and they found something that garnered their attention then what happened? `Uh, I don't know.' The applications or the use of this type of an environment, are to my way of thinking, as great if not greater in the private industry environments as perhaps we have seen in the public Web environment."
Merenbloom cites an example we're all familiar with: the mall. If someone watched us shopping in a mall three or four times, he or she could understand our shopping habits and understand better how to market or position a product.
And so it is with shopping on the Web. If companies obtained this tool to see how their site was visited and how long each surfer spent on each Web page, this could help determine how companies could position their Web pages to maximize revenue.
Because of products like NFR, you may want to think twice before visiting the Dilbert Zone or e-mailing Aunt Sally in Wichita while at work. Ranum asserts that, although observing an employee's network traffic is possible, companies won't buy NFR expressly for that purpose.
"NFR could be the ultimate form of big brother," says Ranum. Products capable of spying on employees have been around for a long time, he says. It seems plausible, however, that employers who buy these tools to make certain no unwanted hacker gets into their network can just as easily monitor what and who goes outside the network.
"People ask us, aren't hackers gonna grab NFR and use it to grab passwords. Well, it would make a great technology for grabbing passwords, but they already have things that are specifically designed to grab passwords," says Ranum. "They wouldn't use a general-purpose tool like we've got. It's kind of like swatting at a fly with a hand grenade to use our stuff."
Since NFR released its code on the Web on January 1st, Ranum says they've had 1200 downloads. While the product is freely available, licensing agreements of course are likely to follow: "We retain the commercial rights for the software, which means if you're a network manager you can play with [NFR] until you're purple in the face." But, "as soon as you say, `Hey this is really cool stuff. Why don't I package [NFR] on a SPARC and let's sell it to our customers.' At this point, we'd expect you to give us a call, and we'd work out some kind of a deal. If you're selling it to your customers, we want them."
If you have technical problems with this magazine, contact firstname.lastname@example.org