Safe networking: monitoring traffic usage

| | No TrackBacks
Inside a datacenter

Firewall is not enough

Safety means security; nowadays, when cyberspace is full of threats for every entity residing in it, from personal computers to large corporate networks — it is necessary to be warned about every undesirable or suspicious activity.

Several years ago a personal firewall and a malware shield, such as Spybot, along with anti-virus software was enough to feel safe, when talking of personal computers connected to Internet.

If even a small company's intranet should be safe, the precautions are essentially the same however, you should also monitor the activity of every workstation and, as DoS attacks become a common event, intrusion detection systems, such as Snort.

However, passive means of defense aren't enough. A piece of malware having infected a workstation may cost very dearly to all the company. Active monitoring is required and, if a suspicious action is detected, immediate response should be an option.

A number of software pieces installed on an average Windows workstation could include many a program that could be a security threat: instant messengers are a good example.

Traffic control and analysis

Traffic should always be under control, especially in a case when you are not using an unlimited plan, when every megabyte transferred should be paid for. A runaway system update, even an open browser may result in a high traffic usage.

However, it is not enough just to meter the amount of data transferred and, when necessary, to limit individual connections' rate, or firewalling the traffic gobblers altogether. Any unexpected transfers, especially via non-standard ports should result in immediate alerts. Even an attempt to use unexpected connections with outer world should be handled at once.

In such a cases, monitoring all the inbound and outgoing traffic becomes a must; the optimal policy should be restrictive — «everything not allowed explicitly is forbidden». This approach may save you from handling consequences of too much traffic consumed or private data leaking.

Most modern routers, as well as other network devices such as network adapters allow using SNMP to access traffic details remotely.

Thus, the minimal set of security precautions related to traffic analysis looks like this:

  • firewall, installed on both gateways to extranet and on every server, preventing undesired connections and handling the minor types of network attacks
  • intrusion detection software, looking for patterns of possibly dangerous activity
  • anti-virus and anti-malware software installed on mail server(s) and every personal computer, to detect harmful data transfers
  • network monitor software, keeping track of all traffic overall usage and dynamics

And once again: using passive only, post factum security means isn't enough to prevent a number of network disasters.

No TrackBacks

TrackBack URL: /blog/mt-tb.cgi/87

blog comments powered by Disqus

About this Entry

This page contains a single entry by Konstantin Boyandin published on March 5, 2010 4:58 PM.

Microsoft vs Waledac: spammers under attack? was the previous entry in this blog.

VPS: security doesn't like defaults is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.