Problem solve Get help with specific problems with your technologies, process and projects.

How helpful is the centralized logging of network flow data?

Network security expert Mike Chapple strongly recommends network flow logging as part of a well-rounded security program. There are two common pitfalls, however, that infosec professionals need to look out for.

My organization is implementing centralized network flow logging. To what extent will better knowledge of network utilization help our security posture, and what are some common pitfalls to look out for?
Centralized logging of network flow data is an extremely valuable mechanism for both security and network professionals. Logging provides a single, authoritative record of all connections between a network's systems, including the amount of data that passes over each connection.

These records can help security professionals when responding to an incident. During an attack, for example, network flow information often effectively reveals the quantity (but not content) of a network's extracted data. The logged info can also help identify systems infected with malicious code. Networking professionals can use the data to troubleshoot network anomalies and analyze bandwidth utilization. I strongly recommend network flow logging as part of a well-rounded security program.

Two common pitfalls come to mind, though: user privacy and storage capacity. Many organizations logging flow data don't think about privacy concerns because they're only retaining connection-level data and not logging packet payloads. The destination IP addresses in outbound connections, however, may also contain sensitive personal information about, say, the Web sites visited by a user. Depending upon your organization's privacy policy, this may be a significant concern.

Additionally, in a large enterprise, flow data may quickly consume large quantities of storage space. You'll need to estimate your storage needs and develop a retention policy that balances business needs with the technical capabilities of the system.

More information:

  • Fellow expert Joel Dubin explains some challenges that occur when designing a logging mechanism for peer-to-peer networks.
  • Myriad devices produce waves of logs. See how to get all that network data under control.
  • This was last published in February 2008

    Dig Deeper on SIEM, log management and big data security analytics

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.