Deep Packet Forensics

Document Scope
This feature module is provides information about how deep packet forensics combines a SonicWALL UTM
appliance and a Solera Networks data-recording appliance to accurately identify and store data regarding the
traffic and log events of deep-packet classification. These appliances together will be able to record network
traffic without dropping a single packet.
This document contains the following sections:
• “What is Deep Packet Forensics?” section on page 1
• “What is Solera?” section on page 2
• “Configuring Your Appliance with Solera” section on page 2
• “Methods of Access” section on page 3

What is Deep Packet Forensics?

SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with
forensic and content-management products. While the SonicWALL can reliably detect and prevent any
'interesting-content' events, it can only provide a record of the occurrence, but not the actual data of the
event.
Of equal importance are diagnostic applications where the interesting-content is traffic that is being
unpredictably handled or inexplicably dropped.
Although the SonicWALL can archive interesting-content using our Enhanced packet capture diagnostic
tool, data-recorders are application-specific appliances designed to record all the packets on a network. They
are highly optimized for this task, and can record network traffic without dropping a single packet.
While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence
afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:
• Reliable storage of data
• Effective indexing of data
• Classification of interesting-content
Together, a UTM device (a SonicWALL appliance) and a data-recorder (a Solera Networks appliance) satisfy
the requirements to offer outstanding forensic and data-leakage capabilities.

SonicWALL Deep Packet Forensics Feature Module 1

What is Solera?
Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive,
and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides
utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured
data can be performed on a live network via NPCS while the device is actively capturing and archiving data.

Configuring Your Appliance with Solera

To configure your SonicWALL appliance with Solera, navigate to Log > Automation. Select the Enable
Solera Capture Stack Integration option to enable this feature.

2 SonicWALL Deep Packet Forensics Feature Module

Distributed Event Detection and Replay
The Solera appliance can search its data-repository, while also allowing the administrator to define
“interesting-content” events on the SonicWALL. The level of logging detail and frequency of the logging
can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP,
Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including:
• Debug/Informational Events — Connection setup/tear down
• User-events — Administrative access, single sign-on activity, user logins, content filtering details
• Firewall Rule/Policy Events — Access to and from particular IP:Port combinations, also identifiable
by time
• Interesting-content at the Network or Application Layer — Port-scans, SYN floods, DPI or AF
signature/policy hits

The following is an example of the process of distributed event detection and replay:
1. The administrator defines the event trigger. For example, an Application Firewall policy is defined to
detect and log the transmission of an official document:

2. A user (at IP address 192.168.19.1) on the network retrieves the file.

3. The event is logged by the SonicWALL.
4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only
appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP: [192.168.169.100], Port: [443]).
The defined NPCS appliance will be the link’s target. The link will include the query string parameters
defining the desired connection.
5. The NPCS will (optionally) authenticate the user session.
6. The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local
machine.

Methods of Access
The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will
be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will
able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators
in a remote location will require some method of VPN connectivity to the internal network.

SonicWALL Deep Packet Forensics Feature Module 3

Log Persistence
SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a
defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging
persistence.By offering the administrator the option to deliver logs as either plain-text or HTML, the
administrator has an easy method to review and replay events logged.

Solution Document Version History

Version Number Date Notes

1 7/19/2009 This document was created by Angela Mendoza.
2 7/22/2009 Incorporated feedback from Matt Dieckman.
3 8/06/2009 Incorporated feedback from Joe Levy.

4 SonicWALL Deep Packet Forensics Feature Module 232-001765-00 Rev A