Network behavior monitoring as security measure

By Denise Dubie, NetworkWorld.com, 02/07/06

With next week's RSA Conference in San Jose, the talk among several management vendors has turned to security.

As many tout their identity management or security information management (SIM) suites, others are focusing on another area of network management that has been coming to the forefront as a unique defense against the most insidious attacks: network behavior analysis, network anomaly detection systems or network behavior anomaly detection. While the market works on what to call the technology, the technology itself performs traffic monitoring and analysis for security purposes.

Generally speaking, these types of products perform a benchmark of normal traffic behavior and continuously monitor for changes. Then if, for example, a relatively unused host begins to propagate many requests, the anomaly detection system might suspect the host could be falling victim to a worm. Or if enterprise application traffic deemed content-sensitive starts to use Port 80, the port left open on firewalls for Internet traffic, the products could alert that compliance policies could be in the process of being breached.

The products, according to industry watchers, perform multiple IT tasks in the realm of security, compliance and management. In fact, tools for monitoring traffic for potential breaches is becoming a staple in most security managers arsenal. According to Gartner, by the end of 2007, 25% of large enterprises will employ such tools as part of their network security strategy.

Companies such as Arbor Networks, GraniteEdge Networks, Lancope, Mazu Networks and Q1 Labs separately offer products that perform this type of traffic monitoring and behavior analysis of known and unknown threats. Even Cisco's MARS (Monitoring Analysis and Response System) performs network anomaly detection to some degree.

Back to Management Notes

Comments

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?