Information Security Best Practices: 205 Basic Rules

Section 16: Network Monitoring Rules

An essential element of a solid INFOSEC system is monitoring hardware/software, used to keep tabs on performance, problems, and security issues. This section offers some basic rules for installing and using monitoring equipment and procedures.

INFOSEC Best Practice #171

Install network sniffers and network monitoring software on your network.

Network monitoring equipment must be used to troubleshoot hardware problems, analyze performance, and monitor security as needed. Monitoring the network involves the use of hardware and software to detect the packet type, volume of packets, origin and destination of packets, physical characteristics of the wiring, physical layout of the network, and the presence of devices on the network. These sniffers must be able to do this for each of the protocols on the network. Typically, besides TCP/IP, Microsoft networking uses NetBEUI and Netware uses IPX/SPX. Also, all this activity must be able to be logged by the sniffer.

A network sniffer must be connected to the network to detect a SYN attack by a hacker. Having a sniffer attached to the network will provide an early warning to system administrators about hackers trying to identify your open TCP ports using a SYN program.

Network sniffer software must be deployed on a laptop computer so that it can be taken to the location with a problem. Often, the network is segmented by switches, hubs and routers. Therefore, bringing the monitoring platform to the area experiencing the problem will help diagnose the problem quicker. Sophisticated monitoring and management software that looks at the...