Monitoring
traffic on your network is essential if you want to keep it safe and efficient.
Information obtained from Network Traffic Monitor tools can be used in a variety of operational and IT
security cases to identify security vulnerabilities, troubleshoot network
problems, and analyze the impact that new applications will have on the network.
These five tips should help you get the most out of your network traffic
monitoring application.
How To Monitor Network Traffic –
Monitoring network traffic is an incredibly powerful way to understand your computing environment. For many
companies, network performance is critical, and if they fail or are at the
limit, there will be adverse effects that can cost time, money and resources.
To understand, prevent, and solve these
problems, there are many methods available to monitor network traffic. Most
importantly, the first thing to focus on is, "what do you want to
achieve?" Are you looking to understand a specific problem? This can be a
preview of this improvement in your knowledge of what is happening in your
network. Whatever the reason, having a predefined goal is essential.
·
Choose
The Right Data Source
·
Pick
The Correct Points On The Network To Monitor
·
Sometimes
Real-Time Data Is Not Enough
·
Associate
The Data With Usernames
·
Check
The Flows And Packet Payloads For Suspicious Content
Choose
the Right Data Source –
Whatever the reason for monitoring network traffic, you have
a choice of two primary sources of data:
Streaming data: which can be purchased from Layer 3 devices
such as routers.
Package data: obtained from SPAN, mirrored ports, or TAP
Stream data is high if you're looking for traffic volumes
and map the path of a network packet from source to destination. This level of
information can help detect unauthorized WAN traffic and use network resources
and performance. However, flow-based tools to monitor network traffic do not
have detailed data to identify many network security issues or perform an
accurate root cause analysis.
Packet data retrieved from network packets can help network
administrators understand how users deploy/operate applications, monitor usage
on WAN links, and monitor suspicious malware or other security incidents. Deep
packet inspection tools provide 100% network visibility, transforming raw
metadata into a readable format that allows network administrators to delve
into every detail.
Pick
the Correct Points On The Network to Monitor –
Naturally, with
agent-based software, you must install the software on each device you want to
monitor. This is not only a meaningful way to monitor network traffic but also
generates a significant implementation and maintenance overhead for IT teams. Besides,
if your goal is to monitor activity in a BYOD or a publicly available network,
agent-based software will not provide a complete picture of user activity,
since it is impractical (and illegally) in some states) to monitor activity .
device user device activity.
Even with
agentless software, many people make a mistake when implementing network
monitoring tools. It is not necessary to monitor every point of the network.
Instead, you must choose the locations where the data converge. Internet
gateways, Ethernet ports on WAN routers, or VLANs associated with critical
servers are examples.
If you are new
to your network, you would like to start your Internet access door (s). This
can be an excellent source of operational and safety data. This short circuit
can do this with Cisco switches: a similar approach can be applied to other
switch providers.
The image below
shows an excellent approach to monitor network traffic. A-SPAN port or mirror
is configured for the core of the network and allows the capture of any direct
traffic. In my example, it would be possible to update the Internet.
Sometimes Real-time Data is Not Enough –
The ability to monitor network traffic in real-time is
sufficient to achieve many network traffic monitoring goals, but sometimes
real-time data is not enough. Historical traffic metadata is ideal for forensic
network analysis and is just as crucial if you want to analyze past events,
identify trends, or compare current network activity with last week. For these
purposes, it is best to use tools to monitor network traffic with thorough
packet inspection.
Some network traffic monitoring tools choose to age the
data. This means that the more you go back in time, the fewer details you get.
While this may save disk space, it is not an ideal solution if you are trying
to determine how an attacker could overcome his defenses to crash malware on
the network. Without accurate and complete event data, you can continue to
search for answers that no longer exist.
It is also a good idea to keep in mind that some network
traffic monitoring systems and SIEMs base their pricing on the amount of data
you want to store. Note this when evaluating solutions. Other device-based
tools are limited to the specifications of the system you buy, and an upgrade
becomes a costly replacement device. The most flexible option is a network
traffic monitoring software tool that allows you to allocate disk space that
you deem appropriate.
Associate the Data With Usernames –
Traditional network traffic monitoring tools often report
activity using IP or MAC addresses. While this information is useful, it can be
problematic in your environment. User information can collect network
activities and devices. The username association will tell you who is doing
what on the network.
Check the Flows and Packet Payloads for Suspicious
Content –
Many networks have edge intrusion detection systems, but
very few have this type of technology to monitor internal traffic. All that is
required is a mobile device or IoT not allowed to compromise a network. Another
problem that I often see is the firewall that allows suspicious traffic through
which a rule has been misconfigured.
The image below gives an example: someone created a rule to
allow incoming traffic on TCP 5901 (VLC Remote Desktop Sharing) but did not
limit it to a source and a destination. Personal addresses, in this case,
appear to be registered in China, and this country's connections should not
connect to this network.
