Baby steps, part two

Baby Steps ended by asking how we can use the network itself “to extract information from strategic points that will tell us what is going on”. To start to explain, let’s have an example of a “strategic point”.

When I was at junior school (at about ten years of age), we were given a practical maths assignment which meant us leaving the school grounds. This was a big deal, because our school was quite literally a fortress – it had fifteen foot high brick and flint walls topped off with another six feet of chickenwire, only interrupted by heavy iron gates. Don’t get me started about the guard towers and searchlights. As such, it was a rare treat to get outside during school hours without resorting to re-enacting the Great Escape.

Our maths task for the day was to conduct a traffic survey. We were to sit with our backs to the outside of the fortress wall, count the passing cars, and group them by colour. After twenty minutes or so of this, we were shepherded inside by the guards teachers to prepare a report on which colours of car were most popular based upon our observations.

So, what has this got to do with strategic points and network security? It’s all to do with visibility, in terms of the quantity and type of traffic you want to observe.

Our school was on a main road, so we had a fair sample set to show for our twenty minutes’ worth of observations. If our school was instead next to a motorway, our sample set would have been huge (and possibly beyond the ability of a ten year old to accurately collect with a pencil and paper). If the school was in a cul-de-sac, we’d have hardly seen anything at all. So, if we want a large sample set the motorway is probably the best choice, albeit with the risk that we won’t be able to record everything we see.

On the other hand, the type of traffic may be more important to us than the quantity. If we want to observe trucks hauling huge loads, the motorway is the best place to look. If we’re interested in local bus services, our school’s main road might fit the bill. If we want to know about people’s milk deliveries, then the cul-de-sac would be a more fruitful place to conduct your sampling.

Coming back to network security, we have already established that we want to look at what is going on on the network; the next step is to pick one or more strategic points where we can do the looking. This will depend entirely on what your own infrastructure looks like, and what it is you’re hoping to see.

For the purposes of our baby steps, we’ll take the simple example of a small office. It has a dozen or so workstations connected via a switch, a single server (also on the switch), and a router that connects the whole lot to the Internet. We have already established that there is Badness on the Internet, and that we should watch for it. Given this objective, a suitable strategic point to monitor would be the point where the switch plugs into the router. All traffic either to or from the Interet will cross this point – if Badness is getting in or out, this is the route it has to take and with a bit of luck, we’ll catch it in the act.

(I should emphasise at this point that monitoring our little office’s border with the Internet will not tell us anything about the conversations that the workstations and the server have between themselves – we’ll only see traffic that involves the Internet. If you’re interested in “local” traffic, you’ll need to conduct your monitoring elsewhere on your network, possibly at more than one location).

Having picked the place to do our monitoring, we now need to decide how we’re actually going to do this. Clearly, a ten year old with a pencil isn’t going to cut it. Perhaps there’s some technical marvel that can help us out? Stay tuned!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)


2 Responses to “Baby steps, part two”

  1. Is this where I use the comments on your blog to advatise badness in the form of links to dodgy russian spam bots?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: