- Cool Yule Tools: 2008 Holiday Gift Guide
- 10 kitchen gadgets for the geek gourmet
- Google admits to violating iPhone development terms
- Smartphone smackdown: Storm vs. iPhone
- Google layoffs: 10,000 jobs being cut
As network attacks become increasingly sophisticated and frequent, it has become nearly impossible for security administrators to keep pace with every exploit, worm, virus and denial-of-service attack. To address this issue, new relational network-modeling systems detect security threats by recognizing when network traffic patterns vary from the norm.
Implemented through software, relational network modeling analyzes the role of systems on a network, examining all inter-host relationships and communications. Collection devices placed in the network monitor traffic directly, either by capturing raw packets or from flow exports built by routers and switches.
The data is aggregated centrally, and the relational network-modeling system processes it to find the common patterns of normal network traffic, including patterns for certain times during the workweek. By gathering data directly from a network, the model system accurately represents the network's behavior from various observation points, including the ability to sort and graph by service, client and server.
This approach assumes that hosts generally will have a set of behaviors they rarely drift from so that, for example, Web clients always will be Web clients, not Web servers. For instance, Host A is a client of Host E using the HTTP protocol, but Host A talks to Host D using the DNS protocol. And Host D does not suddenly start behaving as an HTTP server for Host A under normal circumstances.
After a relational network-modeling system gathers data, it builds a model that administrators can use to define and enforce a policy. When deviations from acceptable use occur in the network, security alerts warn administrators of the change, a pro-cess known as anomaly detection.
Administrators can use relational network-modeling data to quickly characterize a worm's behavior and quarantine traffic specific to the worm's propagation without disrupting normal business traffic. Administrators then can enforce the normal network model, using internal subnet firewalls, router and switch access control list statements, and virtual LAN ACL statements to create exceptions for previously accepted, or normal, traffic and deny all other traffic. Relational network-modeling systems helps generate these ACL statements and push them out to network control plane switches, routers and firewalls.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment