Thursday, July 22, 2010

Premonition

Analysis junkies like me get an intuitive feeling about particular ways to slice and dice network traffic data that are likely to produce interesting results. I had never heard this referred to formally until a meeting I was in this past week. My counterpart used the word "premonition". I like it. It's now in my digerati vocabulary.

Uncommon Protocols

IANA assigns 256 registered Internet Protocol numbers (0-255). The protocols assigned to each number vary widely in capability, purpose, and function. What protocols do you route on your network? For sure TCP, UDP, and ICMP. Perhaps a few others as well for one reason or another. Are you sure that you only route the protocols you think you do? Looking at the data is the only way to find out for sure.

A colleague of mine was looking at a client network and discovered that the client was routing some pretty unusual protocols. The client was not aware of this and became quite concerned. Just another reason we should all be vigilant in monitoring our networks and studying what the data are telling us.

Thursday, July 8, 2010

Logging Update

I have good news regarding the logging issues I described in previous posts. I sat down with the client and the vendor, and we had a productive meeting together. We all agreed that logging of DNS queries ought to be part of the product. In fact, the vendor couldn't understand why it was ever overlooked/omitted by them in the first place. The vendor agreed to include this feature in the next release of the product (date of release still undetermined).

The good news here is that analyzing the data on the network revealed a shortcoming in a vendor solution that many organizations use (including yours perhaps). Most people probably rely on the logging of this product without having any reason to question it. My hope here is that the issue I identified will allow this vendor's entire customer base to better protect and defend their networks.

Today is a good day. The entire cyber security community will benefit because of this. Now that's cool.