I have been leading webinars about our newest product, Savvius Insight, a mini -appliance for monitoring and troubleshooting remote 100Mbps networks. This little device sits in-line between the cable modem and the router, capturing and analyzing network traffic that can be viewed in Omnipeek for in-depth troubleshooting or sent to a long term reporting solution like Splunk. You can watch a recap of the webinars on YouTube: https://www.youtube.com/watch?v=Cu09sp7nmiQ
The great thing about webinars is the questions at the end. Recently, one of the questions was about the difference between Savvius Vigil and Savvius Insight. One way to answer this is based on physical size. Savvius Vigil is a large ,3U appliance for the data center with 64TB of disk space, and Savvius Insight is a mini-appliance with 128GB of SSD. The functional answer is that while Savvius Vigil integrates with security detection systems to enable network forensics in breach investigations. Savvius Insight, like Omnipeek and Omnipliances, is designed for network performance diagnostics.
But packet intelligence is at the heart of both products, as it is of any complete security solution. In fact, even though Savvius Vigil has its own client for viewing and filtering security alerts, we launch Omnipeek and load packets related to the selected security alerts into it when it’s time to perform a security investigation. The network analytics of Omnipeek investigate the breach and follow it back to its source.
We also use Omnipeek with Savvius Insight to investigate network traffic, so Savvius Vigil and Savvius Insight, although very different, are both great platforms for security investigations. Use Savvius Vigil for large data centers, and Savvius Insight for smaller 100Mbps remote networks. Although Savvius Insight does not integrate with security detection systems, it does have very powerful filtering capabilities. In fact, Savvius Insight already comes pre-loaded with some good examples of security filters:
By using the advanced graphical filter layout editor in Omnipeek, you can define custom filters that capture only security-related packets. You can run any number of security filters simultaneously in Savvius Insight. A simple example is a filter of blacklisted IP addresses or ports. In Savvius Insight, you can add any number of address and ports to the same filter.
Another example is an SSL handshake filter. For the value filter, we can specify a value at an offset relative to a particular layer, like TCP. You might also filter on every SYN packet, giving you a bird’s-eye view of all the connections on your network.
With so many different powerful filter types at our disposal, we can design a filter for virtually any type of packet we want to capture. For other ideas on using filters for security, check this blog entry: https://www.savvius.com/category/network-security/.
We want to capture only security-related packets, so we can store a longer history without using up too much storage space. When we want to do a forensic search to investigate the packets of interest, the power of Omnipeek analytics really helps. The array of high level visualizations like the Peermap and Compass, help us visualize different aspects of the network like who is talking to whom, how much, using what protocols, and when.
In some cases, this can make it obvious where the security breach occurred, where the source was, and what machines may be infected.
With Omnipeek, you can see a field-by-field decode breakdown of packet. You can also search the payloads for security related terms, and save the payloads of certain flows to recreate an original file, like a Word document, PDF, or mp3.
In summary, Savvius Insight and Omnipeek are a great set of tools for network performance diagnostics and network security forensics. To learn more about Savvius Insight, visit click here.
To learn more about using Omnipeek for security, download the “Network Forensics Buyers Guide” white paper. Download here.
To learn more about Savvius Vigil, click here.
Chris Bloom, Savvius Technology Evangelist