What are the best points for monitoring traffic flow on a network, and why?
Learning how to monitor network traffic is a good idea for a number of reasons: IDS/IPS systems need to be able to observe all traffic to alert on and potentially block malicious flows. Also, from a purely network operations perspective, it's important to monitor traffic in order to track network performance over time. The ability to monitor traffic at key points on the network also serves as an invaluable troubleshooting aid.
The key to monitoring traffic is to identify key areas (or choke points) to place the network traffic appliance so you can gather the most information on traffic flowing between a source and a destination. For example: If you would like to monitor all ingress and egress traffic flowing through the enterprise network, the choke point should be set up on the inside interface of the firewall. Choke points could be a physical network tap or a span port on a switch, mirroring traffic through the port that needs to be monitored (e.g., the port connected to the inside interface of the firewall in this example).
Monitoring the inside interface of the firewall gives a good idea of all traffic entering and leaving the network after unwanted traffic has been filtered from the firewall. Another useful choke point would be at critical server segments. This would give visibility into all traffic entering or leaving the server segment. Starting with the inside firewall interface and the server segment would be a good template for monitoring traffic across the enterprise.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Anand Sastry
While encrypting production servers may seem like a good security move, according to Anand Sastry, doing so may not be worth the resources it uses. Continue Reading
Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to ... Continue Reading
When setting up a site-to-site VPN, where should the VPN endpoint be in the DMZ? Learn more in this expert response. Continue Reading