Computerworld - Traffic on the network had increased all week, but the intrusion-detection system wasn't picking up any malicious traffic. Whatever traffic was traversing the network was considered OK.
The servers and desktop systems were all at current patch levels, switches at current IOS levels. Sophos Anti-Virus wasn't showing any virus activity. We hadn't installed any new devices on the network. Yet something had changed and was causing problems.
We fired up the sniffer and weren't able to identify any particularly malicious traffic, but we did see a lot of what I call "stupid traffic" - IPX broadcasts from the new Ricoh multifunction devices that the vendor had installed and improperly configured; nothing that would affect outbound traffic.
We found that several users were running something called Netropa, a freely downloadable news feed application. As the users professed innocence, we uninstalled the service on each machine. Still, Netropa Corp. insists that the product isn't a bandwidth hog.
We couldn't identify any one system on the network that was transmitting unusually large amounts of data. Staffers ran around all afternoon tuning the network (and, in one case, inadvertently brought down a primary server - oops).
We were stumped. I even directed the senior server administrator to run F-Secure Corp.'s BlackLight rootkit detector on the Windows servers. No hidden processes were found.
As the week ended, bandwidth thankfully returned to normal, but we still didn't have any idea of the root cause of our network problems. Feeling frustrated, I thought out loud, "This is ridiculous. It shouldn't take us several days to figure this out."
What you need to understand, and what I need to be patient about, is that my staff has no real network monitoring or troubleshooting experience and no network security experience.
As many regular readers know, I manage IT and security for a small state agency, and our resources are very limited. In past jobs, I was always able to hire subject-matter experts, including CCIE-level network engineers and CISSP security engineers. Here, I have to rely on my own skills, which are more management-oriented than deeply technical.
In the past, the agency had relied on the state's network engineers to help out when network problems arose. This time, though, I wanted the staff to learn something about how to troubleshoot these types of problems and not turn to out-of-agency resources to get the job done. I was asking for a lot in a short period of time. But sometimes we learn best when we're under fire, even though I think you could characterize our activity as "chickens running around with their heads cut off."
Public-Sector Constraints
When you think about network monitoring, performance comes to mind. But what if you want to monitor for changes on the network in a holistic way? I wondered if it was possible to baseline the LAN/WAN environment for normal ports and services and be notified when something changed that was outside "normal." I could then investigate to find out if the change was desired or not. For instance, if a server began listening on a port that it normally would not be listening on, even for a brief period of time, this could indicate a possible compromise.
The basic problem that every security team faces, especially in a defense-in-depth model, is that there are too many events, too much data and too many places where the security data must be reviewed to manually correlate the data and be able to pinpoint a complex security issue. You just can't do it.
A couple of years ago, a manager without a security background demanded metrics from me, and I explained that you can't easily pull metrics from disparate security devices without some way of correlating the data. We had to rely on our own analysis of a situation, decide whether it could be considered an incident and then investigate. That's not good enough.
There are numerous commercial security monitoring tools that operate at the network and systems levels. Back in the private sector, the answer to this metrics problem was to evaluate Protego MARS, a comprehensive security information management system. (This was before Protego Networks was acquired by Cisco Systems Inc.) In an ideal world, our agency would be able to go that same route. Of course, it's not an ideal world. We are a state agency with no budget to purchase such commercial products.
The answer, as it so often has been since I entered the public sector, was to turn to open-source. I went on a quest to find an open-source tool that would allow me to be notified when a change on the network occurred, malicious or not.
I was racking my brain for a way to monitor the network and somehow gain insight into potential security incidents via the use of a single open-source tool. I had heard about Nagios, an open-source host, service and network monitoring program, but had never used it. I knew it was primarily used to monitor networked resources. I learned that it can be used with Snort, Nmap, Nessus and some of the more common open-source network security tools and can become an aggregation point. I was a little excited until I downloaded the installation guide - 200 pages. I groaned. If nothing else, I thought, this job is forcing me to become more proficient in Linux.
The other advantage I am finding in seeking out, selecting and implementing open-source alternatives for network and security management on no budget is that I'm becoming more technical, which might be a good thing.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
