Announcing InMon Traffic Sentinel

InMon Traffic Sentinel is now available for download. InMon Traffic Sentinel will replace InMon Traffic Server 4.0. This is a free upgrade for customers who have purchased annual maintenance. If you would like to upgrade to Traffic Sentinel, please contact InMon Support giving the hostname of your server so that we can provide a new software activation key.

To test-drive the new features, you can connect to the Traffic Sentinel demo. The major new features are:

Redesigned user interface

Traffic Sentinel's user interface has been completely redesigned to improve usability.

  • The new menu structure gives easy access to charts and data.
  • Context is preserved while navigating so that audit trail analysis is intuitive.
  • Ingress and egress traffic direction is shown in top n charts.
  • Top n charts show client/server relationships.

Enhanced signature-based security threat detection

One method for detecting security problems is to inspect network packets and compare them with signatures of known threats. Since sFlow exports full packet headers and a portion of the payload, performing signature recognition on these exported packets is an effective way to identify and isolate security problems. Traffic Sentinel matches sFlow data against signatures specified in Snort rule format. It also extends the Snort syntax to include scan rules which will rapidly identify scanning behavior. Traffic Sentinel raises events on security violations that match signature rules, identifies violating hosts and their connecting switch ports, and logs packet traces for documention and further analysis.

Traffic anomaly detection

The overall behavior of a host may indicate a problem, even if none of its individual transactions trigger a packet signature rule. Traffic anomaly detection is a powerful technique for profiling behavior, highlighting policy violations, and identifying new threats. Traffic Sentinel analyzes network wide traffic patterns and highlights and characterizes anomalies such as access policy violations, port scanning and trojan activity, unauthorized NAT routers, ARP storms, new services, and new hosts.

Flexible and easily customized reports

Traffic Sentinel includes flexible reporting and query capability. The standard reporting includes accounting for network usage, profiling of hosts, profiling of services (eg peer-peer, RTP, multicast, ARP), traffic trending, identification of suspicious network traffic, and end host and network device inventory. Customized reports are authored using a graphical user interface which allows multiple charts and tables to be presented in a single report. For example a report can now identify the top protocols, the top servers and clients using these protocols and the long term trend. Other reporting features include:

  • Reports can be rendered as HTML or PDF.
  • Flexible report scheduling options including every five minutes, every hour, every day, every week, every month.
  • A configurable number of previously run reports can be stored.
  • Automatic emailing of reports.
  • Generation of events when reports identify specified profiles or incidents. For example, when a report highlights anomalous trojan activity, or access policy violations events can be raised.
  • Scripting interface for advanced and complex data analysis.

Topology discovery and mapping for layer 2, layer 3, and BGP

Traffic Sentinel uses traffic and other data to discover the active layer 2, layer 3 and BGP topology. This topology is displayed with zoomable and interactive maps. In addition, the path a traffic flow takes across the network can be displayed on the map or in a table showing hop by hop attributes.

Rapid host location

As soon as a host becomes active, Traffic Sentinel will observe its traffic and rapidly identify the switch port to which the host is attached. Traffic Sentinel will also be able to track a mobile host as it moves around the network. This information is critical for applying focused controls.

Fine grained historical and real-time data

Traffic Sentinel's database has been restructured so that fine grained real-time and historical traffic flow data can be stored. Full traffic flow protocol layer details and information derived from deep decode packet analysis are saved. Traffic Sentinel then performs sophisticated analysis of this data and presents useful reports and alerts on anomalies. The new database format also improves performance without sacrificing disk space.

Powerful search and drilldown

Traffic Sentinel supports a powerful search capability. For example it is possible to search for specific hosts (by DNS name, IP, MAC) , switches/routers, protocols, ASNs, path between hosts. In addition wildcard search options are supported. The search results include detailed data, for example when searching for a host the MAC vendor and country associated with IP address is returned. The seach results also include hyper-linked information so that it is easy to drilldown and explore the data associated with the search criteria.

Graphical configuration editor

The configuration process for Traffic Sentinel has now been simplified with the use of a graphical configuration editor. However, text-based configuration is still possible by editing an XML representation of the configuration.

Controlled access to UI

Traffic Sentinel supports fine grained user interface access control. Access to the user interface can be passworded and users can be allowed access to a subset of the functionality.

Support for IPFIX and NetFlow v9

Traffic Sentinel will now receive and analyze NetFlow v9 and IPFIX data. This is in addition to sFlow, HP XRMON, LFAP, and SNMP polled interface counters.

Copyright © 1999-2024 InMon Corp. sFlow is a registered trademark of InMon Corp. ALL RIGHTS RESERVED. Sitemap