Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How security market needs transformed Network Flight Recorder

Marcus Ranum's Network Flight Recorder was poised as a forensics tool when the market demanded IDSes -- so it adapted accordingly.

Network Flight Recorder (NFR) was originally built to be exactly what its name indicates: a data recorder/evidence collector/audit tool. In many ways, NFR was the first tool developed in this new network forensic analysis market space. However, due in part to timing and customer needs, NFR focused more on the IDS aspects.

"We were a little ahead of ourselves with NFR," says Marcus J. Ranum, founder and CTO of NFR Security. When NFR was first introduced, demand was higher for IDSes rather than a system that could act as a general-purpose network analyzer, data monitor and recorder. "What we did, because everyone kept comparing us to ISS [Internet Security Systems], was program our system to act primarily as an IDS -- but we maintained our audit focus."

The first generation of IDSes would look at traffic and signal when they saw something wrong. Most of those systems back-evolved so that they also logged traffic traces, packets, etc. NFR, on the other hand, actually evolved the other way.

Collecting packets is easy. What you really want to do is tell the person the significance of those packets.
Marcus J. Ranum

In addition to its IDS capabilities, NFR can do packet capture, traffic analysis and statistics for anomaly detection. The NFR NID is programmable, so you can set it to record just about anything you could find about a packet or traffic or statistics. Those capabilities are used mostly for implementing IDS logic, but the product still records URLs and session start/stop/duration-legacies of NFR's audit-oriented approach.

"Our customers were not very technically sophisticated, and they wanted high-level analysis, which equated to intrusion detection," Ranum says. "Capturing everything that comes in on every interface is really not very useful. Customers would say, 'now that we have all this data, what do we do with it?' The real value of intrusion detection capability is diagnosing what is going on. You take raw packets and specify what they mean. To me, that is the value of an IDS capability. Collecting packets is easy. What you really want to do is tell the person the significance of those packets."

Ranum cites his first law of intrusion detection: "Never collect more data than you could conceivably want to look at. If you don't know what to do with the data, it doesn't matter how much you've got."

This was last published in February 2002

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)