Friday, December 30, 2005

Comments on Internal Monitoring

Victor Oppleman, co-author of a great book called Extreme Exploits, is writing a new book. The title is The Secrets to Carrier Class Network Security, and it should be published this summer. Victor asked me to write a chapter on network security monitoring for the new book. Since I do not recycle material, I am working on a chapter with new material. I intend to discuss internal monitoring because I am consulting on such a case now.

Do any of you have stories, comments, suggestions, or other ideas that might make good additions to this chapter? For example, I am considering addressing threat-centric vs. target centric sensor positioning, internal network segmentation to facilitate visibility, tapping trunks, new sorts of taps, sensor clusters, and stealthy internal sensor deployment. Does that give any of you ideas?

Anything submitted will be given credit via an inline name reference like "Bamm Visscher points out that..." or a footnote with your name and a reference to "personal communication" or "blog comment." The chapter is due to Victor next week, so I am not looking for any large contributions. A few paragraphs or even a request to cover a certain topic would be helpful. Thank you.

1 comment:

Sam said...


While this is only vaguely related to your topic of internal monitoring, your post made me think of it so I hope you find it useful in some way.

My organization recently issued a draft requirement for file integrity on all Unix systems and Windows servers. The requirement includes maintaining a read-only baseline of libraries and executables and comparing that baseline at least weekly with fielded systems.

While I think this is a great idea, particularly for an IDS - given the grave consequences of IDS compromise, I wonder about the details. If you have any interest at all in writing about practical implementation of file integrity checking for a group of IDSs - internal or external - I know of at least one place where you could locate an interested audience.