Ask the Expert

How helpful is the centralized logging of network flow data?

My organization is implementing centralized network flow logging. To what extent will better knowledge of network utilization help our security posture, and what are some common pitfalls to look out for?

    Requires Free Membership to View

Centralized logging of network flow data is an extremely valuable mechanism for both security and network professionals. Logging provides a single, authoritative record of all connections between a network's systems, including the amount of data that passes over each connection.

These records can help security professionals when responding to an incident. During an attack, for example, network flow information often effectively reveals the quantity (but not content) of a network's extracted data. The logged info can also help identify systems infected with malicious code. Networking professionals can use the data to troubleshoot network anomalies and analyze bandwidth utilization. I strongly recommend network flow logging as part of a well-rounded security program.

Two common pitfalls come to mind, though: user privacy and storage capacity. Many organizations logging flow data don't think about privacy concerns because they're only retaining connection-level data and not logging packet payloads. The destination IP addresses in outbound connections, however, may also contain sensitive personal information about, say, the Web sites visited by a user. Depending upon your organization's privacy policy, this may be a significant concern.

Additionally, in a large enterprise, flow data may quickly consume large quantities of storage space. You'll need to estimate your storage needs and develop a retention policy that balances business needs with the technical capabilities of the system.

More information:

  • Fellow expert Joel Dubin explains some challenges that occur when designing a logging mechanism for peer-to-peer networks.
  • Myriad devices produce waves of logs. See how to get all that network data under control.
  • This was first published in February 2008

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: