Monitor outbound traffic: Full-packet capture or only capture network flow data?

I’ve read that establishing a full-packet capture system for outbound traffic is the best way to confirm what did or didn’t leave the network in the event of a suspected breach event. What’s the cheapest and most efficient to implement a full-packet capture systemif we don’t have one today and don’t want to invest in new hardware or software?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at [email protected].

Ask the expert

Have questions about enterprise network security? Ask expert Mike Chapple! (All question submissions are anonymous.)

Unfortunately, it’s impossible to implement full-packet capture without investing in new hardware or software, unless an organization has a lot of storage space sitting around doing nothing.

While it’s certainly true that full-packet capture is the best way to know what happened on a network in the event of a breach, it’s extremely expensive to implement because it requires massive amounts of storage.  For example, if an enterprise has an outbound Internet connection that averages 400 MB over the course of a day, that’s 50 MB of data every second.  At this rate, an enterprise would be consuming more than a gigabyte of storage every minute. Compression can reduce this burden; however, the idea of capturing every byte that crosses a network boundary is simply unreasonable.

An alternative way to monitor outbound traffic  is to capture network flow data instead.  Rather than tracking the actual data passed between systems, this approach captures only high-level meta information about each connection, such as the source and destination IP addresses, ports and the total amount of data passed in either direction.  While this approach wouldn't definitively detail what data has left the network, it would give a general idea of the quantity of data flowing to remote locations without breaking the bank.  Cisco Systems Inc.’s NetFlow technology and Juniper Networks Inc.’s J-Flow feature both provide similar functionality that is likely to already exist within an enterprise network environment.

This was first published in January 2012

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top