Packets' Place in Network Security
Enterprises have long relied on network monitoring tools to troubleshoot connectivity problems. The same tools have evolved into an important way to ensure networks are secure.
The rise of the blended threat has dealt a fatal blow to many single-purpose security products, making it much harder to protect networks from intrusions and compromises. Still, network administrators are charged with keeping enterprise networks secure, regardless of the threats presented – a lesson well learned by the recent breaches at Target.
The breaches at Target went undetected for some time, allowing infiltrators to gather a huge amount of information and leading to an almost unfathomable compromise of credit card information. It was that lack of detection, in part, that led to one of the most visible security breaches in recent memory.
In the past, most security administrators relied on the prowess of security-specific tools, such as anti-malware technology, spam filters, intrusion prevention systems and firewalls. However, those technologies are reactive in nature, and rely on external knowledge or the fingerprints of existing attacks to be effective. Simply put, such technologies lack the ability to identify zero-day, blended attacks. Other techniques must be added to the equation to achieve protection.
How Network Packets Can Help
Those other techniques may require security administrators to roll up their sleeves and get their hands dirty in the network mud, by looking at what network engineers refer to as packets. Luckily, there are tools that make it much easier to understand what a packet is and what its payload contains. Even more important is the ability to look at the route a packet takes, starting from its origin and ending with its destination.
Case in point is the latest offering from Fluke Networks, Visual TruView V9.0. The product has a new capability – end-to-end user analysis, which is able to delve into the network connectivity of a single IP address. That capability allows administrators to trend access and compare it to collected norms, making it simple to determine if an access problem lies with an individual user or the underlying network.
Although that capability lends itself well to troubleshooting, there is also a security benefit: the ability to identify anomalous access. In other words, by trending the activity to a certain IP address or application, admins can quickly identify spikes in traffic. Such spikes may become the first clue that an attack is occurring.
Network monitoring tools can also provide packet capturing and analysis – where a network administrator can log access and capture the electronic conversations between endpoints to audit the information contained. This process can uncover unauthorized access, identify what data was compromised and provide critical information to law enforcement agencies. Experts agree this kind of auditing should be part of dealing with any data breach.
Using Network Monitoring Tools for Security
Of course, Fluke Networks isn’t the only player in the network monitoring tool set market. SolarWinds, Paessler, Spiceworks, GFI and several others offer tools for network monitoring and analysis. That said, there are some critical capabilities that network administrators should look for when selecting a network monitoring tool for security purposes, including:
- Full Packet Capture: The ability to record all traffic
- Packet Analysis: Tools to delve into the payload of the traffic
- End-to-end Tracking: Identify the path and endpoints involved
- Trending: Ability to identify access trends
- Normalization: Tools that identify “normal” network use
Naturally, there are other capabilities that lend themselves well to the security process; however the above capabilities offer an excellent starting point for security administrators looking to explore packet analysis and garner enhanced knowledge of the networks they are charged with protecting.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with over 25 years of experience in the technology arena. He has written for several leading technology publications, including ComputerWorld, TechTarget, PCWorld, ExtremeTech, Tom's Hardware and business publications, including Entrepreneur, Forbes and BNET. Ohlhorst was also the executive technology editor for eWeek and formerly the director of the CRN Test Center.