- Determining What Constitutes Normal System Behavior
- Why Characterization Is Important
- 1: Document and Verify Characterization Trust Assumptions
- 2: Characterize Typical Network Traffic and Performance
- 3: Characterize the Expected System Configuration and Performance
- 4: Characterize Expected Process and User Behavior
- 5: Characterize Expected File and Directory Information
- 6: Generate an Inventory of System Hardware
- 7: Recognize the Iterative Nature of Data Collection and Characterization
- 8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
- 9: Policy Considerations
2: Characterize Typical Network Traffic and Performance
When a system operates, it consumes and produces network traffic. To fully characterize this behavior, it's necessary to know the volume of traffic consumed and produced, correlated with the time of day and the network identity of the consumer or producer. For example, is a large volume of web traffic produced for a network address in a foreign country at 2:00 a.m. considered normal behavior?
Document the procedure to verify that the traffic traversing the organization's networks is as expected and reflects, for example, trusted source and destination addresses as well as legitimate ports and protocols. The types of network traffic information to capture include network performance and other network data described in Table 1 (which appears at the end of this article).
Comparing previous network performance information with current information allows an administrator to determine whether any network performance characteristic is beyond tolerable or acceptable limits.