Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

6.3 Monitor and Inspect Network Activities

Data about network activities (traffic, performance, etc.) can be collected from a variety of sources, including the following:

  • Administrator probes (Internet control message protocol [ICMP] pings, port probes, simple network management protocol [SNMP] queries)

  • Log files (routers, firewalls, other network hosts and devices)

  • Alert reports

  • Error reports

  • Network performance statistics reports

  • The outputs of tools used to support in-depth analysis

You should watch for unexpected network behavior, such as the following:

  • Unexpected changes in network performance such as variations in traffic load at specified times

  • Traffic coming from or going to unexpected locations

  • Connections made at unusual times

  • Repeated, failed connection attempts

  • Unauthorized scans and probes

  • Nonstandard or malformed packets (protocol violations)

Monitoring messages as they traverse your network gives you the ability to identify intrusive activity as it is occurring or soon afterwards. By catching suspicious activity as early as possible, you can immediately begin to investigate the activity and hopefully minimize and contain any damage.

Logs of network traffic may contain evidence of unusual, suspicious, or unexpected activities, indicating that someone has compromised or tried to compromise a system on your network. By inspecting log files on a regular basis, you may be able to identify intruder reconnaissance in advance of an intrusion. You may also identify attempted or successful intrusions soon after they occur. However, if an intruder has altered log files, the data may no longer be present.

If you permit access to your systems and networks by third parties (vendors, contractors, suppliers, partners, customers, etc.), you must monitor their access to ensure that all their actions are authentic and authorized. This step includes monitoring and inspecting their network activities.

6.3.1 Notify Users

Inform authorized users of your systems about the scope and kinds of monitoring you will be doing and the consequences of unauthorized behavior.

A common method for communicating this message is the presentation of a banner message immediately before user login.

Without the presentation of a banner message or other warning, you probably cannot use log files and other collected data in any action you may choose to take against a user.

For further information on setting up monitoring banners for Windows NT, refer to the implementation Setting Up a Logon Banner on Windows NT 4.0.2 Here's one example of banner language taken from this implementation:

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

6.3.2 Review Network Alerts

Review and investigate notification from network-specific alert mechanisms (such as e-mail, voice mail, or pager messages), for example:

  • Users and other administrators, via e-mail or in person

  • Operating system alert mechanisms

  • Network and system management software traps, such as those that can be set via SNMP (simple network management protocol)

  • Intrusion detection systems

  • Custom alert mechanisms from service or application programs (including tools)

6.3.3 Review Network Error Reports

These types of notifications are typically produced by one of the following devices:

  • Operating system error reporting mechanisms

  • Log file filtering tools

  • Vendor or custom-developed management software

  • Custom error-reporting mechanisms from service or application programs (including tools)

Often an administrator will be able to configure error reporting at a number of criticality, severity, or priority levels when installing the network system, service and application programs, and supporting tools.

6.3.4 Review Network Performance

Statistics are generally produced by vendor or custom performance-monitoring tools. Typical statistics include the following (refer to Section 5.3, Table 5.2):

  • Total traffic load in and out over time (packet, byte, and connection counts) and by event (such as new product or service release)

  • Traffic load (percentage of packets, bytes, connections) in and out over time sorted by protocol, source address, destination address, other packet header data

  • Error counts on all network interfaces

  • Comparison of previous network performance statistics with current statistics for the same time frame

Look for the following extraordinary occurrences:

  • Unexpected changes in performance between current and previously captured statistics, for example, unusually high or low network traffic compared with expected levels for the day of the week and time of day

  • Unexpected deviations from authoritative network traffic characterization information, for example (refer to Section 5.3):

    traffic coming from unexpected source addresses or using unexpected ports or protocols

    traffic going to unexpected destination addresses or using unexpected ports or protocols

    excessively high or low traffic volume for the day of the week and time of day

  • Unexpected loss of connectivity

  • Unusual modem activity or availability, which can indicate intruder access through overlooked entry points (ports) or intruder use of daemon dialers

6.3.5 Review Network Traffic

Identify any unexpected, unusual, or suspicious network traffic and the possible implications. From network log files and other network traffic collection mechanisms, look for the following extraordinary occurrences:

  • Reconnaissance (probes, scans, use of mapping tools) in advance of an attack. These activities can indicate attempts to identify your configuration (hosts, operating systems, network topology, externally accessible paths into your systems, etc.) and your Internet service provider(s) (ISP), along with their configuration.

  • Connections to or from unusual locations. For example, if a server host is dedicated to a single service (such as serving a public web site), any requests it makes for outbound connections are suspicious. Such requests may indicate that an intruder has compromised the server and that it is being used to launch an attack on another host.

  • Protocol violations. These include, but are not limited to, invalid option bits in a transmission control protocol (TCP) packet, invalid sequence numbers in a TCP packet, invalid flags in a TCP packet (ACK before SYN), and invalid fragments. There is no good reason to violate the Internet protocol (IP), TCP, ICMP, and user datagram protocol (UDP) specifications. These types of protocol violations often result when an intruder uses a network scanner in an attempt to bypass your firewall (that may just check for an established bit set on a packet) and to identify the type of systems on your networks (since different host IP stacks will respond to the error in different ways). A DoS condition can occur, for example, when an intruder's host creates TCP half-open connections by sending a flood of SYN packets with no corresponding ACK packets.3

  • Packets with source and destination addresses external to your network. Your firewall should always be configured to prevent this. If it occurs, it may indicate that an intruder has bypassed the firewall, possibly by compromising the firewall host, and is routing his or her traffic through your network, perhaps to take advantage of a network-level trust relationship. It may also indicate the presence of an inside intruder.

  • Packets with an internal source address that actually originate from an external source. This can indicate an IP spoofing attack that may have bypassed your firewall.

  • Unusual port combinations in TCP and UDP packets. This type of traffic could indicate an unexpected service running on the network (such as a backdoor program). It could also indicate that the intruder has bypassed your firewall. Packets with the same source address and a sequence of destination ports often indicate that an intruder is trying to discover both the firewall policy and what services are available on your systems.

  • Unusual address resolution protocol (ARP) traffic. In a switched network, an intruder can alter the ARP cache on one or more hosts so that any host on the same segment can see traffic on that segment (similar to a network interface card in promiscuous mode on a shared Ethernet segment). The intruder can then gain access to passwords and other unencrypted information sent over the network.

  • Unusual dynamic host configuration protocol/boot protocol (DHCP/BOOTP) traffic. An intruder can cause a host to send bogus DHCP replies and convince other hosts that it is their default gateway. The compromised host will then receive all of the traffic for outbound networks and gain access to unencrypted information sent over the network.

  • Packets with unusual protocol or port numbers sent to broadcast addresses. This type of traffic can indicate a DoS attack.

  • An unusually high number of ICMP port unreachable packets from a single host. This indicates that an intruder is scanning the host looking for available services.

  • Connections made at unusual times

  • Unusual use of Internet Relay Chat (IRC), a common means of communication used by intruders

If you are reviewing network traffic on a system other than the one being monitored, ensure that the connection between them is secure, as described in Section 2.13.

6.3.6 Policy Considerations

Your organization's networked systems security policy should specify the following:

  • The need for users to be notified that you will monitor network activities

  • Your objectives for monitoring

  • Which data streams will be monitored and for what purposes

  • The responsibilities and authority of system administrators for handling notifications generated by monitoring and logging software

  • What forms of unexpected network behavior users should watch for and the need to report any such behavior to their designated security officials and system administrators

6.3.7 Additional Information

  1. For further UNIX- and NT-specific network monitoring and network data collection guidance, refer to CERT tech tips at the CERT web site, including the Intruder Detection Checklist and Steps for Recovering from a UNIX or NT System Compromise. A list of network-monitoring tools is presented in Section 5.3.15, and Table 5.3.

  2. When possible, analyze and correlate data collected from multiple sources (as described in the other practices of this chapter). Performing some level of correlation analysis during the intrusion detection process, such as determining when suspicious activity occurring in one part of your infrastructure may be related to suspicious activity in another part, will assist you in determining the full extent of any compromise and its characteristics. Refer to Section 7.2 for further guidance.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020