Deep Packet Capturing - the saviour of the day?

I have been asked to take a look at Deep Packet Capturing - a technology used to capture and store network packets. The keyword here is Capturing. The point is to capture and store networking traffic for (possible) later analysis and modeling.

One of the suppliers is Solera Networks, which offers appliances to capture and store information on your network at high speed - up to 10Gbit/s.


Why do you want this kind of tool?

So far, you have a Deep Packet Inspection tool, you save and analyze logs, and you also monitor your network. Then, one day, the police knocks on your door (or heaven forbid - the Media). Your logs and day-to-day analysis will only take you, and the police so far. You may pick up some irregularities from the past, but most likely you will not be able to rebuild and document the actual data stream. You end up with poorly documented speculations.

With a Deep Packet Capturing device, chances are that you would be able to not only figure out what when, who and what was done - but you would also be able to replay the sequence, re-analyze it, and most importantly document the whole process. In addition, you would be able to develop and test new rules for finding irregularities - without having to risk your day-to-day network flow. When your new rules are designed and tested, your can implement them.


Compliance

Compliance is still an important buzzword around the security space. One of the compliance issues requires you to save quite large amounts of data - usually from solutions and technology not designed to give you easy access to the very same data. A Deep Packet Capturing device may be an easy and cheap way to comply with such regulations.

If you are an ISP or VoIP service provider in the US, you also need to comply with CALEA. To capture and monitor VOIP data may be a challenge, and Solera Networks claim their CALEA Appliance is a low cost solution tackling this very challenge.


Virtualization

Another buzzword these days is Virtualization. Now, virtualization itself is not without risk, but considering the upside of fewer physical devices, lower power consumption and easier (at least in theory) administration, I think virtualization is here to stay. It just makes business sense.

Thus, I like the fact that some of the Solera Network devices are also available as VMWare Virtual Appliances. This also means I can easily test run these devices in my lab, if I so desire.

I like new technology and new ideas. With the low cost of storage these days, a Deep Packet Capturing device makes perfect sense to me.