Home > Articles > Security > Network Security

From the author of

9: Policy Considerations

The organization's networked systems security policy should require that administrators create an accurate, reliable, and complete characterization of systems at the following times, determining that the characterization of normal, expected behavior needs to change:

  • When systems are first created

  • At well-defined events, including modifying, adding, and replacing elements of systems

Table 1 lists the categories and types of information to capture to establish characterization for your system.

Table 1 Data Categories and Candidate Types of Characterization Data to Collect

Data Category

Types of Data to Collect

Network performance

  • Total traffic load in and out over time (packet, byte, and connection counts) and by event (such as new product or service release)

  • Traffic load (percentage of packets, bytes, connections) in and out over time, sorted by protocol, source address, destination address, other packet header data

  • Error counts on all network interfaces

Other network data

  • Service initiation requests

  • Name of the user or host requesting the service

  • Network traffic (packet headers)

  • Successful connections and connection attempts (protocol, port, source, destination, time)

  • Connection duration

  • Connection flow (sequence of packets from initiation to termination)

  • States associated with network interfaces (up, down)

  • Network sockets currently open

  • Whether a network interface card is in promiscuous mode

  • Network probes and scans

  • Results of administrator probes

System performance

  • Total resource use over time (CPU, memory [used, free], disk [used, free])

  • Status and errors reported by systems and hardware devices

  • Changes in system status, including shutdowns and restarts

  • File system status (where mounted, free space by partition, open files, biggest file) over time and at specific times

  • File system warnings (low free space, too many open files, file exceeding allocated size)

  • Disk counters (input/output, queue lengths) over time and at specific times

  • Hardware availability (modems, network interface cards, memory)

Other system data

  • Actions requiring special privileges

  • Successful and failed logins

  • Modem activities

  • Presence of new services and devices

  • Configuration of resources and devices

  • System call data

Process performance

  • Amount of resources used (CPU, memory, disk, time) by specific processes over time; top "x" resource-consuming processes

  • System and user processes and services executing at any given time

Other process data

  • User executing the process

  • Process startup time, arguments, filenames

  • Process exit status, time, duration, resources consumed

  • Means by which each process is normally initiated (administrator, other users, other programs or processes), with what authorization and privileges

  • Devices used by specific processes

  • Files currently open by specific processes

Files and directories

  • List of files, directories, attributes

  • Cryptographic checksums for all files and directories

  • Accesses (open, create, modify, execute, delete), time, date

  • Changes to sizes, contents, protections, types, locations

  • Changes to access control lists on system tools

  • Additions and deletions of files and directories

  • Results of virus scans


  • Login/logout information (location, time): successful attempts, failed attempts, attempted logins to privileged accounts

  • Login/logout information on remote access servers that appears in modem logs

  • Changes in user identity

  • Changes in authentication status, such as enabling privileges

  • Failed attempts to access restricted information (such as password files)

  • Keystroke monitoring logs

  • Violations of user quotas


  • Application-specific and services-specific information such as network traffic (packet content), mail logs, FTP logs, web server

  • Logs: Modem logs, firewall logs, SNMP logs, DNS logs, intrusion-detection system logs, database management system logs

  • Services-specific information could include FTP requests (files transferred and connection statistics); web requests (pages accessed, credentials of the requestor, connection statistics, user requests over time, which pages are most requested, and who is requesting them); mail requests (sender, receiver, size, and tracing information; for a mail server, number of messages over time, number of queued messages); DNS requests (questions, answers, zone transfers); for a filesystem server, file transfers over time; for a database server, transactions over time

Log files

  • Results of scanning, filtering, and reducing log file contents

  • Checks for log file consistency (increasing file size over time; use of consecutive, increasing time stamps with no gaps)


  • Results of vulnerability scans (presence of known vulnerabilities)

  • Vulnerability patch logging

  • + Share This
  • 🔖 Save To Your Account