How helpful is the centralized logging of network flow data?

Ask the Expert

How helpful is the centralized logging of network flow data?

My organization is implementing centralized network flow logging. To what extent will better knowledge of network utilization help our security posture, and what are some common pitfalls to look out for?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

Centralized logging of network flow data is an extremely valuable mechanism for both security and network professionals. Logging provides a single, authoritative record of all connections between a network's systems, including the amount of data that passes over each connection.

These records can help security professionals when responding to an incident. During an attack, for example, network flow information often effectively reveals the quantity (but not content) of a network's extracted data. The logged info can also help identify systems infected with malicious code. Networking professionals can use the data to troubleshoot network anomalies and analyze bandwidth utilization. I strongly recommend network flow logging as part of a well-rounded security program.

Two common pitfalls come to mind, though: user privacy and storage capacity. Many organizations logging flow data don't think about privacy concerns because they're only retaining connection-level data and not logging packet payloads. The destination IP addresses in outbound connections, however, may also contain sensitive personal information about, say, the Web sites visited by a user. Depending upon your organization's privacy policy, this may be a significant concern.

Additionally, in a large enterprise, flow data may quickly consume large quantities of storage space. You'll need to estimate your storage needs and develop a retention policy that balances business needs with the technical capabilities of the system.

More information:

  • Fellow expert Joel Dubin explains some challenges that occur when designing a logging mechanism for peer-to-peer networks.
  • Myriad devices produce waves of logs. See how to get all that network data under control.
  • This was first published in February 2008