If you reflect upon the modern IT networks, you would immediately realize that they are quite complex. These are made up using various combinations of number of components, e.g., Routers, Switches, Firewalls, Servers and also include cloud-related resources such as Virtual Machines (VMs), Hypervisors, containers, etc. Most of these elements are simultaneously present in the network and interconnected too by various means.
The moment you would think of security such complex networks, you would impromptu realize that it is critical to monitor all these components carefully around the clock. From your perspective, each component of modern networks increases your attack-surface. But for every hacker and threat actor, this complexity of networks and the resulting challenge of 'visibility' create numerous opportunity to attack and exploit your network.
Not only this, if any of these devices fails, the performance of your network would be immediately hindered, so staying on top of the performance of each element of the network is critical to the smooth, uninterrupted production of your organization.
You have no choice but to know and monitor the traffic of your own network.
Your network traffic is the amount of data that is moving across your computer network at any given point in time. You all know that this traffic consists of data packets which are sent over your network, before they are re-assembled by receiving computer or device.
But you need to have a look at your network traffic from various lenses. Traffic affects quality of your network, because an unusually high amount of traffic can result in slow download speeds or spotty Voice over Internet Protocol (VoIP) connections. Traffic is also related to security because an unusually high amount of traffic could be the sign of an attack.
Before you get into details, you need to get acquainted with some conceptual framework here. There is your data-center...
Whether you realize it or not, your organisation has a data-center. Your data-centers are made up of 'all PHYSICAL facilities' which are designed to support your business applications, AI activities, file sharing, communications and collaboration services, and many more. Your data-center(s) contain your servers, storage systems, routers, firewalls, and other components which are crucial for the well-functioning of the activities mentioned above.
Just take the simple example...When a user is trying to access any web application, e.g., Salesforce using his browser Google Chrome, there is a client (i.e., the device user is using) and a data-center involved (i.e., Salesforce's data-center). Similarly, when a user is accessing any other service or server (e.g., LMS), there is a client and your own on-premise data-center.
In most situations, the client/user asking for some information which is obviously stored in your data-center which is containing many other components (your company's digital assets) as explained above.
To perform these activity:
-
The client sends the request for access to your data-center. Understand this as a communication happening between your data-center and a component 'out of its boundary.'
-
The components inside of your data-center, prepare the content to send to the client. Understand this as a communication happening between different components 'within' your data center such as application server, database, etc.
In essence, you would usually observe that your network traffic has two directional flows:
1. East-West Traffic
Any communication between two or more components of your data-center, or even communication between different data-centers, is referred to as east-west traffic. During convergence for example, routers exchange table information to ensure they have the same information about the internetwork in which they operate. Another example are switches, which can exchange spanning-tree information to prevent network loops, or when a LAN client communicates with a server in the data-center.
East-west traffic refers to traffic within a data-center, also known as server-to-server traffic.
Because the usage of virtual systems has grown extensively, and because organizations now prefer private cloud infrastructure more and more, east-west traffic volumes have increased drastically. Nowadays there are many functions and services performed virtually, instead of how they used to – on physical hardware. This can help with many issues, however, the traffic on your network has increased as well, and as a result, there can be latency which impacts network performance.
2. North-South Traffic
Any communication between components of your data-center and another system, which is physically OUT of the boundary of the data-center, is referred to as north-south traffic. In simpler words, it is any traffic coming to your data-center, or going out of it to another system. That other system can be simply a client requesting access to a web application (as mentioned above).
Traffic coming into your data center through a firewall or other perimeter network device – is referred to as south-bound traffic. The opposite of it, traffic going out of your data-center (say to internet or any cloud-service provider) is referred to as north-bound.
North-south traffic usually includes queries, commands, and data in general, being requested from your data center or stored in your data-center.
However, if you are looking at the network traffic from the point of view of managing the bandwidth, then you can also segregate it in two general categories also:
A. Real-time Traffic
This category of traffic is either created or demanded by your critical business operations applications, such as VoIP, Video Conferencing, Web browsing etc, because they need highest possible quality of data which must be delivered on time. In other words, with least possible latency.
B. Non Real-time Traffic
This sort of traffic has one more name, 'Best Effort Traffic.' Basically it is the traffic, you as a network administrator would consider less important than your real-time traffic. For example, your email applications, or FTP for web publishing.
-
Securing Your Network Traffic
See, you cannot trust the network traffic just because it has come from 'within' your physical boundaries. Whether it is coming from within your assets (east-west), OR from outside through a perimeter network device (north-south), you can trust your traffic only when all the services are secure.
North-South traffic is usually considered as more dangerous traffic because it comes from OUTSIDE the perimeter, and that is a very logical conclusion. Isn't it? That is why many security solutions focus more on it. But you need to consider that 'inside' traffic makes the largest part of the whole network traffic, that's why there is a very high possibility that malicious activities can end up going from one service to another.
Yet so many organisations tend to presume that their east-west traffic (inside) is secure and they don't use right tools or controls to monitor it. They assume that their network 'firewalls' don't let any malicious function inside their network. But this is a fallacy.
My guess is that most threat actors or hackers find a solution for their actions long before companies start thinking about securing the traffic 'inside' their network. New malware keeps coming up all the time, and as long as security experts do not have the right patch for a vulnerability IN TIME, threat actors can compromise the systems. Once a malware gets into the network, your firewalls can not do anything about it.
Thus, if your company keeps believing that its assets are secure without evaluating them properly, then it is a perpetual invitation to threat actors to carry out their nefarious activities. This includes surveilling your network, getting access to your confidential data, and in general causing trouble to your business operations, which may, in time, cause a bad reputation to you.
And what about INSIDER THREATS? These threats can cause bigger trouble for your company since these are harder to catch and less suspected in the first place, very much similar to inside traffic threats.
-
By now, you must have already understood that Network Traffic Analysis/Monitoring is very important.
Network traffic analysis (NTA) is about techniques used to examine network activity, manage availability, and identify unusual activity. For example, NTA helps you in identifying bottlenecks in your network, troubleshooting bandwidth related issues, improving the visibility of devices applications running on your network.
Addressing such issues as they occur, not only optimizes your organization's IT resources but also reduces the possibility of an attack. NTA also enables you to determine if any security or operational issues exist—or might exist moving forward—under current conditions. Since NTA works in real time, alerting you when there is anomaly in network traffic or any possible breach. No wonder, NTA is closely tied to enhanced security.
Overall, your NGFW and SD-WAN solutions are a great help in NTA.
However, the constant vigil or monitoring of your network is paramount. If you are not monitoring your network properly, then your network is just like a vehicle which has no warning lights or alarms. Something can go wrong, and things may seem fine at first. But soon, any problem can bring everything to a halt. Network monitoring can prevent this from happening.
-
Key Features of Network Monitoring Tools
In practice, there can be Agent-based or Agent-less monitoring tools. But, here is the list of fundamental features which are part of most monitoring tools:
1. Network Discovery
These tools are capable of discovering which components (switches, routers, firewalls, printers, servers, and other devices, etc) are connected to your network, as well as how they are connected, which ports devices are using to connect and which devices they are connected to.
Monitoring systems engage in the discovery process using a LIBRARY that includes monitoring templates. These templates tell the system how to monitor each device. But the parameters that would be monitored, will vary depending on the device and its manufacturer. This is because each devices has its unique features and will function according to how the manufacturer has programmed it. Right?
This can be important when you are trying to track down an issue that impacts several devices that are interconnected to a single problematic component, such as a server or switch.
2. Mapping
Network monitoring solutions can generate maps that lay out the ways in which devices are connected, as well as the ports each one uses to connect to its neighbors. They ensure that you need not to have a look at a physical mess of wires and ports. You can see a mapped abstraction of your network, zooming in and out as you see fit, giving you a precise and easy way to interpret the layout of your entire system. However, mapping out your network takes some doing...
3. Monitoring
Your monitoring process begins with focusing on the 5-most important elements of your network’s performance:
- CPU performance
- Memory
- Disk Utilization
- Latency and Ping availability
- Interface utilization
4. Reporting
It is crucial because it gives you the information you need to make adjustments and improvements. The reporting process includes current and historical data made available in an interface or DASHBOARD that you can easily manage to gain insights. Reporting feature is capable of letting you if your present network configuration is good enough or not. If there are problems with the present configuration, the reports generated can help you hone in on problematic components or processes. You can customize reporting as per your needs and adjust to your specific objectives.
5. Alerting
Alerts are lifeline of whole security arrangement. Whenever anything goes wrong or malfunctions in your network, a good monitoring solution would essentially generate an alert. These alerts may well depend upon some performance metrics and established thresholds.
A threshold alert is triggered when data crosses a pre-determined level. For example, a threshold can be set to provide an alert if a certain amount of memory is being consumed in an area of the network. If, for instance, 75% of memory is being used at any given moment, the monitoring system can send an alert to the admin. The admin can then use that information to diagnose what is the problem, perhaps by examining which processes are consuming the most memory.
Performance metrics are the next step in the utilization of threshold alerts. A performance metric will typically incorporate a period of time in the reporting process. For example, if 90% of CPU power is being consumed for 15 minutes straight, this performance metric can trigger an alert. You can then investigate and troubleshoot any problems.
-
How Do Network Monitoring Tools Work?
There are many different types of network monitoring tools and techniques available in the market. Each method implements different technology to ensure you have deeper visibility into your network.
1. Periodic Status Checking
This is the first tool you would use, as you program your monitoring system to monitor at pre-determined intervals of time. Checking the availability of the different components of network, is equally important. This should be done as frequently as possible, preferably every minute or more often. You can also monitor how a central processing unit (CPU) is performing and the ways in which disk space is being used. Though you may wish to gather a lot of data on each device, but it can cause unnecessary burden on your network. Thus you must identify the 'minimum' necessary interval on a component-by-component basis.
2. Checking Logs
Almost every tool that runs on your network can typically generate logs. These are produced at intervals and can be checked to diagnose or even predict network problems. Such logs can display a potential issue, you can use them to pinpoint the nature of the problem as well as gather other critical intelligence regarding the issue. You can compare various logs correlating the timestamps they have, in case some anomaly is being observed. Further, if issues are happening in sequence, you can use tool logs to backtrack, hunting down the problem at its source.
3. Packet Sniffing
Packet sniffing or packet analyzing involves using a program or hardware device that acts as a network traffic monitor. It is capable of intercepting packets from network traffic and then log it. In this way, a packet sniffer can detect malicious or otherwise harmful traffic and play a role in protecting the network.
4. Network Monitoring Protocols
There are several network monitoring protocols that can be used in a network monitoring system. When used correctly, they can reduce the impact the monitoring process has on the network. For example...
- Simple Network Management Protocol (SNMP)
SNMP is widely used in network management for network monitoring. It is device specific protocol that allows you to monitor the network using a system of 'tools' and 'nodes' with the help of common language. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more. Within each device, there is an agent that presents information to the managers and the tools they use for monitoring. The SNMP manager is able to transmit polls to the devices on the network. The devices respond with information regarding their status.
- WMI for Windows
It is a software and a protocol that can create an interface for an operating system that can obtain information from devices running a WMI computer program (agent) that collects details pertaining to the operating system, its software, or its hardware. It lets you to access information regarding the devices operating within your network.
WMI can also report on the properties and status of local or remote systems, security and configuration information, as well as information pertaining to the various processes and services occurring within the network.
- SSH for Unix
Then there is SSH which is common to Unix/Linux systems. It can create a secure tunnel, complete with encryption, that the devices and network management software can use to interact. When an admin presents a port number combination, username, and password, they can be authenticated and granted access.
- NetFlow
NetFlow examines packets of data as they pass through a SECTION of the network. It uses probes that grab the data before channeling it through a monitoring tool to be analyzed. The analytical process studies the traffic, taking note of how it flows and how much there is. This information is used to determine the ways in which data moves as it travels through the network. NetFlow and similar systems work by analyzing the INTERACTIONS between different devices. If data is not traveling as it should between devices, NetFlow can produce an alert that you can use to address the issue.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
____
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM