Chapter 3. Know Your Network

Imagine going to battle without an understanding of the terrain, roads, buildings, weather, or even your own fighting force’s tactics and capabilities. This is the situation faced by many information security professionals when they initially attempt to monitor their network environment. Knowing your network is akin to understanding your military capabilities, strengths, and weaknesses when preparing for an enemy attack. In information security, the enemy will change tactics continually, but you have a “home field advantage” because the battleground is your network. History proves that blindly charging into or defending the unknown will almost certainly end in defeat.

One of the best ways to express this concept comes from Richard Bejtlich, information security professional and author of The Tao of Network Security Monitoring. In a January 2007 post on his blog,[13] Bejtlich describes the “Self-Defeating Network” as having the following characteristics:

  • Unknown

  • Unmonitored

  • Uncontrolled

  • Unmanned

  • Trusted

Although you may not have control of or influence over these characteristics, you must make every effort to Know Your Network! Doing so will help you succeed in most of your security-related endeavors. In this chapter, we will explore two primary methods of learning about a network: network taxonomy and network telemetry.

Network Taxonomy

Imagine you receive a report from your monitoring staff that “IP address 10.10.10.20 was seen performing a buffer overflow attack ...

Get Security Monitoring now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.