《网络安全监控实战》书评

网络监控的普适流程

我们知道安全组件阻塞威胁firewall阻塞IPS阻塞anti-AV阻塞DLP阻塞DRM阻塞（这个国内刚起步）而好的网络安全监控，需要以威胁识别为核心，数据分析为驱动的将这些安全组件联通起来。说到数据驱动，当然要应用数据分析的技巧，包括如何搜集数据（包括在哪里放置哪些数据产生工具），如何分析数据（检测），如何展示分析结果（响应）。其中第一步知道搜集哪些数据是非常重要的：这本书告诉了我们建议收集的数据类型(1) Full Content Dataall information that passes across a network. We aren’t filtering the data to collectonly information associated with security alerts. We’re not saving applicationlogs. We’re making exact copies of the traffic as seen on the wire(2) extracted content datarefers to high-level data streams—such as files, images, and media—transferred between computers. Unlike with full content data, which includes headers from lower levels of the communication process,with extracted content, we don’t worry about MAC addresses, IP addresses,IP protocols, and so on. Instead, if two computers exchange a file, we reviewthe file. If a web server transfers a web page to a browser, we review the webpage. And, if an intruder transmits a piece of malware or a worm, we reviewthe malware or worm.(2) session Dataa record of the conversation between two network nodes. AnNSM tool like Bro (http://www.bro.org/ ) can generate many types of logsbased on its inspection of network traffic.(3) transaction dataTransaction data is similar to session data, except that it focuses on understanding the requests and replies exchanged between two network devices.(4) statistical datadescribes the traffic resulting from various aspects of an activity.(5) metadata(6) alert dataAlert data reflects whether traffic triggers an alert in an NSM tool. Anintrusion detection system (IDS) is one source of alert data.