Task 1:
Instructions: Add additional insight opinions or challenge opinions and you can visit a couple of the web sites contributed and share your opinion of these sites. Minimum of 150 words for each.
1) Full content data is information based on that network that allows analysts to derive session, alert, and statistical data (Bejtlich, 2005).
It offers both granularity as well as application relevance which makes its collection meaningful (Bejtlich, 2005). To obtain full content data, there are security monitoring products at play.
When discussing security monitoring products, it is important to discuss the monitoring zones. "Monitoring zones are locations where the traffic in those areas shares certain privileges, based on the level of trust afforded by a security engineer" (Bejtlich, 2005, p. 45). According to Bejtlich (2005), there are four of these zones, or considerations. They are the perimeter, the demilitarized zone, the wireless zone, and the intranet. The perimeter is where sensors are typically deployed (Bejtlich, 2005).
This is due to the fact that it receives the most visibility from class 1 attackers (Bejtlich, 2005). However, it is the most untrusted zone because of the vulnerability associated with the lack of control (Bejtlich, 2005). The demilitarized zone (DMZ) is another area where sensors are frequently deployed (Bejtlich, 2005). It includes the DMZ switch and firewall (Bejtlich, 2005).The wireless zone is all machines that have wireless connectivity (Bejtlich, 2005).
It includes the wireless network and wireless access point firewall (Bejtlich, 2005). The intranet is another zone where sensors can be deployed, even though the perimeter and demilitarized zone are the preferred zones (Bejtlich, 2005). Intranet sensors experience a lot of traffic (Bejtlich, 2005). This could be why the intranet is monitored by practitioners via the internal networks as well as the critical internal hosts (Bejtlich, 2005).
Reference
Bejtlich, R. (2005). Security monitoring: Beyond intrusion detection [E-Reader Version]. Retrieved from The Tao of Network Security Monitoring
2) If any business entity does not know what's happening on their networks it probably means they are always going to be way behind the curve when it comes to attacks.
That is where security monitoring products having full content data comes into play which will be very beneficial to analyze when and what is happening within their network which can help to decide what to do about them. Having full content data or capturing full packets provide the most flexibility and granularity when analyzing network-centric data.
Addition to collecting the full content data, it is imperative to collect the data where analyst can see the true internet destination IP address for traffic of interest, and where you can see the true internal source IP address for traffic of interest (Bejtilch, 2012). However, for some of the businesses there could become issue of disk storage when capturing full content data of the network and it can add increase the cost to the business.
In addition, disk might not be able to capture full content of aggregating traffic and ensuring that all data have been captured without significant loss at line speed can be difficult.
With that in mind, at the beginning it would be much easier to get started monitoring only HTTP or DNS and prioritize some of the network segments such as those with PII, those that require PCI compliance, or any other important network which is critical from business perspective.
In addition, by capturing data of some of the critical piece of network netflows will indicate if there is any problem and it will come to know if additional information is needed to monitor by capturing additional data of networks.
Number of Pages: 1 Page
Page Line Spacing: Double spaced (Default)
Academic Level: College
Paper Format: APA
Task 2
Instructions: Use examples from the readings, or from your own research, to support your views, as appropriate. Encouraged to conduct research and use other sources to support your answers. Be sure to list your references at the end. References must be in APA citation format.
A minimum of 250-300 words.
Describe and interpret the deployment considerations involved with using network security monitoring products to obtain full content data.
Number of Pages: 1 Page
Page Line Spacing: Double spaced (Default)
Academic Level: College
Paper Format: APA