Computerworld - The team gathered in the security lab for our weekly meeting. At the top of the agenda was distributed intrusion detection. The junior-level security engineer glanced toward a whiteboard that displayed his work of art -- numerous lines drawn in different colors depicting the complicated layout of our network. The black lines represented copper links, the red lines fiber, the black boxes routers and switches, and the blue boxes network taps and Snort sensors.
Meanwhile, the senior security architect distributed current network diagrams neatly done in Visio network diagramming software. Everyone was well prepared.
I noticed, however, that the team members were on edge. They were feeling drained and discouraged after dealing with Microsoft's flurry of security patches in October, discovering a security breach that originated from a remote laptop, managing participation in more than 40 IT and development projects and hearing rumors that the 2005 budget was being slashed to bare bones.
I took a deep breath, smiled my best we're-all-in-this-together smile and turned to the youngest member of our team. "Whatcha got?" I asked him.
He explained that his first recommendation for how to gain better visibility on the network was to buy port aggregators. He had read reviews and thought the idea sounded good. But after working closely with network engineers to better understand the network, the team member had found that the port aggregators wouldn't work for a variety of reasons. So, instead, he had come up with a design that combined port spanning with network taps. I reviewed his design and nodded. This kid is smart, I thought to myself, and this is sure going to cost a lot less money than the original plan of purchasing port aggregators at $950 a pop.
The goal, in my mind, was to be able to monitor the LAN/WAN environment for suspicious traffic, receive alerts via SMTP (preferably e-mail sent to our BlackBerry devices), respond to events in as close to real time as possible and report on that activity in weekly and monthly summaries to upper management. I didn't think that was too much to ask.
The senior security architect turned to me and said, "It would be helpful for us if you would be very explicit about what kind of results you're looking for."
As usual, I stuck my foot all the way down my throat. I said, "I want to see 100% of the traffic on 100% of this network and every network attached to it that we have security responsibility for." He smiled gently
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
