Network Traffic Analysis in Reverse

Published: 2010-02-13. Last Updated: 2010-02-14 06:32:40 UTC
by Lorna Hutcheson (Version: 1)
1 comment(s)

Most of the time, people focus on what is coming inbound toward their networks.  This is quite understandable as the threat is usually considered outside of our perimeter and trying to come into our networks.  However, looking at traffic in this fashion is sometimes very tedious. There is alot that can get lost in the noise, especially if the analysis is done at the network edge.  There is just so much "background noise" on the internet such as port scans, old malware lingering around, network probes, etc.  There is alot to filter through.

An interesting exercise is do an analysis on your outbound traffic.  Many organizations do not do good egress filtering.  If you have never done this, then do some trend analysis on your egress traffic only.  In all that noise of traffic destined toward your network, what you really want to know is did a system answer?  Do you really know where your internal systems connecting to?  On what ports?  Why?  

I am not saying that you shouldn't watch traffic destined for your network, but you should spend some quality time analyzing the traffic leaving your network.  I would expand this to include traffic flows between your internal systems.  If you have never done this, you might be surprised at what you find.  

 

1 comment(s)

Comments

Good tip. It's surprising the amount of malware that can be caught just by blocking/logging outbound SMTP traffic, for instance.

Diary Archives