Skip to main content

Sensor placement evaluation

I'm back again with an article discussing optimal network sensor placement. It is a simple case study i made after i've finished my thesis (APT detection through machine learning and network behavior analysis) regarding the network sensor placement in order to achieve maximum network visibility with minimal possible redundancy. These days i read "Network Security Through Data Analysis, Michael Collins, 2014" which triggered this case study.

The experimental network is a prototype enterprise network depicted in the following image.

(I didn't take it from "The Practice of Network Security Monitoring, Richard Bejtlich, 2013" even if it is almost the same with one of Richard Bejtlich's images. It is created using Dia)

The above network is a reasonable abstraction of an enterprise one. So in the following picture i try to place the candidate sensor positions (From A to F) and replace DMZ with a Debian machine (running an FTP, HTTP and SSH server) and Internal Network with a Windows machine. Also in point F there exist three service sensors (one for every service) and both server and client have the OSSEC client installed (the monitor computer is the server of the OSSEC distributed architecture and the one that monitors the traffic in every network-based sensor).

The next step contains the attentive creation of the worksheet showing the vantage of the last picture.

So from this table we conclude that:
  1. Host-based sensors are necessary for every connected machine. The advantage of host-based sensors is that they can monitor logins, logouts, file accesses etc. Nonetheless, you can implement host-based sensors only on hosts that you know about their existence in the network.
  2. Regarding service-based sensors, it is recommended that we place one sensor for every service our server runs so as to view traffic related to these services.
  3. Points A and B has the same vantage.
  4. From points B, C and E in order to achieve minimal redundancy with maximum visibility we should choose whichever two points, applying some kind of filter in one them. In my opinion, network-based sensors at points C and E satisfy most of our needs. This is true because in case of applying NAT in our two networks (DMZ of Internal Network) sensors in points C and E are capable of distinguishing different IP addresses.
The filter i suggest that you apply is the one that gives the following table (appropriately filtering the sensor in point E).

After this process we extract the desired table which is the one that gives the best results.

That's all! Try applying the same process in an experimental network and come back with your comments... Have a nice day...


Popular posts from this blog

Barbara vs Zombies

A few years back I made a game, Barbara vs Zombies, for my then-girlfriend Barbara. She used to like an old light-gun game, House of the Dead , so I depicted her dodging and shooting zombies in this one. Included a backstory with silly romanticism, cats, and inside jokes. It's been nearly a year since we broke up, and this game has been sitting forgotten in my hard disk. I eventually decided it shouldn't go to waste. It is, after all, a game meant to remind us of happy times. Download and play the game on Gamejolt  or . I had made an Android version too, maybe I'll get around to publishing it someday. Hang in there, 2020 was a tough year, but you've made it this far already, so congrats. 💖 -Kostas

Stick Veterans online: Good news & Bad news

After loads of work, online multiplayer for Stick Veterans seems to be progressing very well. In fact, it is nearly complete, as showing in recent tests. Today I ran the first playtest with 3 people; we connected over Hamachi , a free VPN solution, and it pretty much went smoothly (except for some non-critical bugs). Bad news is that LAN connections might be the only thing supported , with little hope for worldwide online games. I already mentioned that in the game's web pages ( post / Gamejolt post ) but I shall lay down the whole story here. In commercial games, online multiplayer is achieved by putting up dedicated 24/7 servers (preferably in various locations throughout the world) to which the players connect. In non-commercial games  (like Stick Veterans), we have to make do without servers, as they cost money (non-trivial amounts of it). As such, we simply allow any player to act as a server themselves, and other players connect to them. This is called

Ludum Dare 44 (late update): Alleycat Faust

Two months ago was the time at which the Ludum Dare 44 gamejam took place. It's been 2 years since I took part in a gamejam ( Global Game Jam in 2017 ), and 3 years since I took part in my first Ludum Dare ( LD35 in 2016 ), so it was about time I re-lived the experience.