Skip to main content

Sensor placement evaluation

I'm back again with an article discussing optimal network sensor placement. It is a simple case study i made after i've finished my thesis (APT detection through machine learning and network behavior analysis) regarding the network sensor placement in order to achieve maximum network visibility with minimal possible redundancy. These days i read "Network Security Through Data Analysis, Michael Collins, 2014" which triggered this case study.

The experimental network is a prototype enterprise network depicted in the following image.

(I didn't take it from "The Practice of Network Security Monitoring, Richard Bejtlich, 2013" even if it is almost the same with one of Richard Bejtlich's images. It is created using Dia)

The above network is a reasonable abstraction of an enterprise one. So in the following picture i try to place the candidate sensor positions (From A to F) and replace DMZ with a Debian machine (running an FTP, HTTP and SSH server) and Internal Network with a Windows machine. Also in point F there exist three service sensors (one for every service) and both server and client have the OSSEC client installed (the monitor computer is the server of the OSSEC distributed architecture and the one that monitors the traffic in every network-based sensor).

The next step contains the attentive creation of the worksheet showing the vantage of the last picture.

So from this table we conclude that:
  1. Host-based sensors are necessary for every connected machine. The advantage of host-based sensors is that they can monitor logins, logouts, file accesses etc. Nonetheless, you can implement host-based sensors only on hosts that you know about their existence in the network.
  2. Regarding service-based sensors, it is recommended that we place one sensor for every service our server runs so as to view traffic related to these services.
  3. Points A and B has the same vantage.
  4. From points B, C and E in order to achieve minimal redundancy with maximum visibility we should choose whichever two points, applying some kind of filter in one them. In my opinion, network-based sensors at points C and E satisfy most of our needs. This is true because in case of applying NAT in our two networks (DMZ of Internal Network) sensors in points C and E are capable of distinguishing different IP addresses.
The filter i suggest that you apply is the one that gives the following table (appropriately filtering the sensor in point E).

After this process we extract the desired table which is the one that gives the best results.

That's all! Try applying the same process in an experimental network and come back with your comments... Have a nice day...


Popular posts from this blog

Stick Veterans 2.0: a long-overdue update

It's been so long since the last game update that I feel nervous writing this. After a long time of development and rewriting, a new update is finally available. Stick Veterans 2.0 is now published on Poki, a popular online games website.

Blockbuster Inc. & other catch-up

This year has gone by super fast and it's about time for an update. Since June I've been working with Super Sly Fox as the lead developer on our upcoming game Blockbuster Inc , where you build and manage your movie studio through the decades.

Aircraft maintenance simulator & VR game projects

Since the start of this academic year I've been enrolled in a Computer Science postgraduate program. I have found a couple of my semester projects to be noteworthy, so I thought I should post about them.