EXPERT RESPONSE
Centralized logging of network flow data is an extremely valuable mechanism for both security and network professionals. Logging provides a single, authoritative record of all connections between a network's systems, including the amount of data that passes over each connection.
These records can help security professionals when responding to an incident. During an attack, for example, network flow information often effectively reveals the quantity (but not content) of a network's extracted data. The logged info can also help identify systems infected with malicious code. Networking professionals can use the data to troubleshoot network anomalies and analyze bandwidth utilization. I strongly recommend network flow logging as part of a well-rounded security program.
Two common pitfalls come to mind, though: user privacy and storage capacity. Many organizations logging flow data don't think about privacy concerns because they're only retaining connection-level data and not logging packet payloads. The destination IP addresses in outbound connections, however, may also contain sensitive personal information about, say, the Web sites visited by a user. Depending upon your organization's privacy policy, this may be a significant concern.
Additionally, in a large enterprise, flow data may quickly consume large quantities of storage space. You'll need to estimate your storage needs and develop a retention policy that balances business needs with the technical capabilities of the system.
More information:
Fellow expert Joel Dubin explains some challenges that occur when designing a logging mechanism for peer-to-peer networks.
Myriad devices produce waves of logs. See how to get all that network data under control.
|
