Thursday, December 25, 2003

The Achilles heel to most networks

Bowulf recently blogged "Weak auditing and monitoring - the Achilles heel to most networks" which was about a VUNet article which discussed the common practice of ignoring your logs unless you're trying to backtrack an incident.

I agree with Bowulf, at least in part. You also have to have logging enabled. If you're working in a NOC, that also means router logs (that's syslog servers, not the dinky space for logging in router memory!). For those networks which aren't allowed to enforce a decent firewall policy, you also need to log high-port to high-port traffic which is where most of your shady-stuff (unauthorized/covert channels, P2P, backdoors, etc.) happens.

I disagree with Bowulf in that logging isn't the sole action you need to take. Closely related to logging is taking and maintaining metrics. A good metrics supports the cliche "a picture is worth a thousand words". If you're watching your network metrics, you learn to recognize "normal" network activity and "abnormal" network activity.

One example of this is e-mail metrics. You cannot read every message that passes through your mail servers. However, if you graph your metrics properly, you should be able to recognize the spread of a new virus within 5-15 minutes of the initial spread (depending how often your graphs are update). While it won't block the new infection (usually nothing will), it does allow you to react quickly enough to minimize the damage and protect the rest of your network.

Maybe a good rule-of-thumb is to maintain metrics on your normal traffic (web, email, etc.) and regularly filter your logs for the abnormal traffic?

Thoughts/ideas/comments/flames?