Information security requires knowing what’s coming into your network so you can protect the valuable data inside.
Network Monitoring Basics
Basic network monitoring tools work with what’s called flow data. This is very basic information such as IP addresses, ports, and protocols, along with when the communication occurred and how much data was transmitted.
While IP addresses can be mapped to domain names to provide a better understanding of traffic, a single IP address can support multiple domains. This means that the IP address and domain name by themselves provide an incomplete or incorrect understanding of the data source. Adding additional detail to the flow data is needed to provide a fuller picture.
In order to get that fuller picture, the flow data can be enhanced with application metadata. This metadata pulls additional information out of the traffic; for instance, it can identify an http request and the http hostname. This provides better support for blocking traffic to unapproved websites.
Network Monitoring Challenges
Although enriched flow data improves monitoring capabilities, there are still numerous challenges that need to be overcome in order to establish an effective monitoring strategy.
- Encrypted data. Today, almost all http connections are actually https connections. These encrypted connections protect transmissions from being spied on as they travel between endpoints. However, that same encryption blocks necessary security inspections once the data arrives at its destination. A message that’s encrypted isn’t necessarily “safe”; it can contain a virus or other malware.
- Selecting the data sources. Flow data, from routers and other devices, is necessarily high-level. You can get more detailed data through looking at packets at test access points and port mirrors. In addition, monitoring often requires installing agents on each device. The more devices installed, the higher the costs and the more maintenance required. Some software doesn’t require installing agents, but monitoring too many devices makes the effort more complex and error-prone. Finally, while network monitoring for security often focuses on external data flows, internal data flows should be monitored for suspicious usage as well.
- Accessing historical data. Real-time analysis isn’t always sufficient for detecting threats. More accurate threat analytics require historic data as well.
- Determining users. Although all data is associated with an IP address, this doesn’t necessarily identify the user associated with the data. User identity may make a difference when deciding whether data is legitimate or should be blocked.
Overcoming Network Monitoring Challenges
All of these challenges can be overcome with a more refined network monitoring strategy. Even encrypted traffic can be subjected through monitoring though designs that allow the data to be decrypted for inspection before passing it on to its destination.
Network monitoring is a vital element of both infrastructure management and information security. Managed services from CCS Technology group ensure your network provides both capacity and security. Contact us to learn more about how our services can improve your business’s IT experience.