Monday, February 11, 2008

end point network monitoring?

there is an interesting post over at tao sec that talks about running network security monitoring out at the endpoint, mostly to cover blackout periods where mobile devices are on unknown hostile networks...

i think this is nicely future focused idea. it is clear that the hard borders of our networks are eroding very quickly with the glut of mobile devices and alternate connection technologies.

on the flip side, i struggle to imagine the org of any decent size which is willing to put together the resources to tackle monitoring the network sec logs from all their mobile devices on top of their fixed sites. but i guess rather than being negative, i should see that as an opportunity to build better data analysis tools...

1 comment:

Jens "jdm" Meyer said...

This is something I've thought about too. Not sure if the comments were there when you read the article, but part of the solution is host-based IDS, software firewall, etc. all logging to the hard drive for future transmission. Those logs can be tampered with, though.

Maybe an external-facing loghost? I mean, from a malicious user's perspective you could block traffic to there, and that's a risk putting another box on the net...

How about the guy who takes his company laptop on vacation for two weeks? You're right about the inundation of logs. What about the harddrive filling up and becoming unusable? Hmm...