Published: 01 Feb 2002
Network Flight Recorder (NFR) was originally built to be exactly what its name indicates: a data recorder/evidence collector/audit tool. In many ways, NFR was the first tool developed in this new network forensic analysis market space. However, due in part to timing and customer needs, NFR focused more on the IDS aspects.
"We were a little ahead of ourselves with NFR," says Marcus J. Ranum, founder and CTO of NFR Security. When NFR was first introduced, demand was higher for IDSes rather than a system that could act as a general-purpose network analyzer, data monitor and recorder. "What we did, because everyone kept comparing us to ISS [Internet Security Systems], was program our system to act primarily as an IDS -- but we maintained our audit focus."
The first generation of IDSes would look at traffic and signal when they saw something wrong. Most of those systems back-evolved so that they also logged traffic traces, packets, etc. NFR, on the other hand, actually evolved the other way.
Marcus J. Ranum
In addition to its IDS capabilities, NFR can do packet capture, traffic analysis and statistics for anomaly detection. The NFR NID is programmable, so you can set it to record just about anything you could find about a packet or traffic or statistics. Those capabilities are used mostly for implementing IDS logic, but the product still records URLs and session start/stop/duration-legacies of NFR's audit-oriented approach.
"Our customers were not very technically sophisticated, and they wanted high-level analysis, which equated to intrusion detection," Ranum says. "Capturing everything that comes in on every interface is really not very useful. Customers would say, 'now that we have all this data, what do we do with it?' The real value of intrusion detection capability is diagnosing what is going on. You take raw packets and specify what they mean. To me, that is the value of an IDS capability. Collecting packets is easy. What you really want to do is tell the person the significance of those packets."
Ranum cites his first law of intrusion detection: "Never collect more data than you could conceivably want to look at. If you don't know what to do with the data, it doesn't matter how much you've got."