Sometimes, the best security practices start with looking for trouble, instead of waiting for trouble to find you.
IT security has quickly become more reactive than proactive, with IT managers struggling to keep up with the latest attack vectors, instead of heading them off at the pass. While that may be an oversimplification of the highly complex security posturing that many enterprise pursue, it is nonetheless a realization that has been cemented by the reactive nature of today's security systems, which rely on previous detection and signatures to halt malicious behavior.
Moving from reactive to proactive ideologies takes a lot of work on the behalf of security administrators, which comes in the form of understanding what normal network flow looks like, as well as normal application use - not an easy task by any measure. It is a situation that has forced many a system administrator to turn to automated tools that utilize artificial intelligence to identify what normal is and what normal isn't - yet those tools lack the most powerful capability - one that can be summed up as intuition - where a system admin instinctively knows what is normal and what is not.
How does one achieve that level of intuition? It takes getting your hands dirty with the packets that move across the network and being able to drill down from a 10,000 foot view into the activities that make up normal network transactions. Naturally, there are tons of expensive monitoring tools that claim to make the process much easier, but the simple fact of the matter is that a networking administrator needs to learn the basics, before delving into complex, automated, graphics heavy consoles to determine what constitutes normalized network traffic.
Start with free monitoring tools
Sometimes, the best place to start is with the free network monitoring tools that have come to populate the realms of shareware, freeware and trialware - any of which may provide the basics to learn about traffic flow, anomalies and further educate network administrators on what is happening across their networks.
Case in point is network monitoring software vendor Paessler, a German company looking to make inroads into the enterprise network monitoring market. The company is offering a freeware version of its PRTG Network Monitor (limited to 10 sensors) in the hopes of getting enterprises to take the bait of what a full-fledged Network Monitoring solution can offer.
Nonetheless, buried within that freeware offering is the capability to deploy a Syslog/SNMP Trap Server, a tool that can gather information from applications and devices across the network. By now, network administrators should fully understand the advantages offered by syslog standard, which is used for communicating informational, analysis and debugging messages triggered by various reasons, such as system events, outages, critical conditions, etc.
A central Syslog Server collects the log information of the network's devices and informs when certain events occur, which can be defined based upon the types of events, alerts or warnings offered by devices and software. Syslog servers can also be configured to utilize SNMP Traps, which offer asynchronous notifications from SNMP-enabled devices. Combined (syslog and SNMP) can be used to report on important incidents and data. The trick is to make sure that the information gathered is relevant to normal/abnormal behavior of traffic, and that may take some experimentation.
Of course, Paessler is not the only player with skin in the game. But, as of late, the company seems to be offering increasing levels of help to those looking at "free" tools, and may just be the catalyst to help educate network administrators on what normal is all about on today's complex enterprise networks.
The real lesson here is for network administrators to get their hands dirty and delve into the realm of traffic to garner the knowledge to understand what normal is and normal isn't.