The customer provides the hardware.
Synapse Networks provides the
software.
In a distributed analysis environment multiple analysis agents are installed at the most important points of the network.
The most important trace points are: domain servers; DMZ; Internet. Furthermore some (or all) client subnets as well as remote locations (countrywide, worldwide).
Analysis Agents
Typically a so-called “pizza box” will be installed in the 19" rack next to the LAN switch that is be monitored. The “pizza box” is running a windows PC including two LAN adapters. First adapter will be connected with the switch mirror port; second adapter will be connected with the analysis VLAN.
Two software packages will be installed: The Wireshark(TM) suite including the WinPCAP drivers as well as the analysis software of Synapse Networks.
The Synapse software takes control of the LAN packet capture via Wireshark’s command line tool (TShark ). Putting all paramters together correctly will be done by the so-called CaptureWizard module of Synapse software.
As soon as LAN packet capture is started, the data processing via Synapse analysis expert system is started as well. If configured, reports will be created on a daily basis, including lists, tables, statistics, error and event logs. During analysis certain errors and events are sent via syslog to a central trace log collector, and reports (or just summaries) can be sent to e-mail recipients.
Forensic Analysis
A so-called ring buffer will be established on the analysis agent’s hard disk. A user-defined data volume will be reserved for the trace data to be saved to disk; if this data volume is reached, the oldest trace files will be deleted in order to free space for the next/latest files to be saved.
Due to disk capacity and LAN traffic rate (being captured via mirror port) this ring buffer may cover a time period of hours, days, weeks or even months.
This is important in case of forensic analysis: If certain errors or security problems occured the cause can only be proved by checking the trace file.
In such case of emergency the analysis agent (respectively the capture process) must be stopped manually to prevent any more trace files to be deleted by the ring buffer mechanism.
Trace Log Collector
The central trace log collector aggregates the incoming syslog messages, saving them to disk.
Trace Log Filter
Parallel to the trace log collector the trace log filter is running as a event log filter engine. Controlled by a filter library, this filter engine non-stop scans the collected events for certain errors. Filter results are saved in corresponding disk folders: each filter has its own folder.
Each filter my have its own list of e-mail recipients. If defined, the filter reports are sent via e-mail to these recipients. This ensures that each problem will have its appropriate person responsible.
Trouble Ticket System
Furthermore, each problem should have its own trouble ticket (e.g. Sharepoint), and each ticket should contain a link to the report folder of the above mentioned event log filter engine. This can easily be done.
If so, all technicians and adminstrators who have access to the trouble ticket system can check immediately latest filter results:
If lastest filter results still show the certain event (error, problem) the actions being taken weren’t successfull, yet. If the filter results don’t show the event any more, remedy was successfull.
This gives verification to all actions being taken.
Remote Control via Internet
In case of managed services Synapse Networks checks the analysis reports, checks/creates the filter engine’s filter library, and checks/creates the trouble tickets.
Customer’s Internet firewall should give access to the central trace log collector & filter engine.
Once being connected with this PC, the analysis agents can be operated via RDP from there on.
In case of managed services Synapse Networks will take care of the software updates as well.