Skip to main content

Sensor placement evaluation

I'm back again with an article discussing optimal network sensor placement. It is a simple case study i made after i've finished my thesis (APT detection through machine learning and network behavior analysis) regarding the network sensor placement in order to achieve maximum network visibility with minimal possible redundancy. These days i read "Network Security Through Data Analysis, Michael Collins, 2014" which triggered this case study.

The experimental network is a prototype enterprise network depicted in the following image.

(I didn't take it from "The Practice of Network Security Monitoring, Richard Bejtlich, 2013" even if it is almost the same with one of Richard Bejtlich's images. It is created using Dia)

The above network is a reasonable abstraction of an enterprise one. So in the following picture i try to place the candidate sensor positions (From A to F) and replace DMZ with a Debian machine (running an FTP, HTTP and SSH server) and Internal Network with a Windows machine. Also in point F there exist three service sensors (one for every service) and both server and client have the OSSEC client installed (the monitor computer is the server of the OSSEC distributed architecture and the one that monitors the traffic in every network-based sensor).

The next step contains the attentive creation of the worksheet showing the vantage of the last picture.

So from this table we conclude that:
  1. Host-based sensors are necessary for every connected machine. The advantage of host-based sensors is that they can monitor logins, logouts, file accesses etc. Nonetheless, you can implement host-based sensors only on hosts that you know about their existence in the network.
  2. Regarding service-based sensors, it is recommended that we place one sensor for every service our server runs so as to view traffic related to these services.
  3. Points A and B has the same vantage.
  4. From points B, C and E in order to achieve minimal redundancy with maximum visibility we should choose whichever two points, applying some kind of filter in one them. In my opinion, network-based sensors at points C and E satisfy most of our needs. This is true because in case of applying NAT in our two networks (DMZ of Internal Network) sensors in points C and E are capable of distinguishing different IP addresses.
The filter i suggest that you apply is the one that gives the following table (appropriately filtering the sensor in point E).

After this process we extract the desired table which is the one that gives the best results.

That's all! Try applying the same process in an experimental network and come back with your comments... Have a nice day...


Popular posts from this blog

Stick Veterans (or "I never thought this moment would come")

A personal project of mine based on the Stick Soldiers series, a project I first posted about 2 years ago, has finally seen the light with its first public version being uploaded on Gamejolt and

100 Maps

Stick Veterans has only recently reached the "100 maps milestone", a feat for which I need to thank you guys.

Digital Forensics: Imaging

Hello! Sorry for being inactive so much time but summer lasted a little bit longer than usual..!

Regarding my digging in digital forensics, i decided to create a series of posts beginning with imaging. So today i will show you the three most prevalent formats of "post-mortem" imaging and how to obtain them (on a *nix system) from a test disk.

The discussed formats are the following:
(1) Raw Format
(2) Expert Witness Compression Format (or ewf)
(3) Advanced Forensic Format (or aff)