Problem solve Get help with specific problems with your technologies, process and projects.

Policy considerations

Understand all the characteristics of your network before you establish a security policy.

The best way to establish a security policy is to first understand all the characteristics of your network. In...

this article from InformIT, security specialists Julia Allen and Lawrence Rogers, list the different types of characterization data you should collect to help understand your network and build your security policy.

The organization's networked systems security policy should require that administrators create an accurate, reliable, and complete characterization of systems at the following times, determining that the characterization of normal, expected behavior needs to change:

  • When systems are first created
  • At well-defined events, including modifying, adding, and replacing elements of systems

Table 1 lists the categories and types of information to capture to establish characterization for your system.


Data Categories and Candidate Types of Characterization Data to Collect
Data Category Types of Data to Collect
Network performance
  • Total traffic load in and out over time (packet, byte, and connection counts) and by event (such as new product or service release)
  • Traffic load (percentage of packets, bytes, connections) in and out over time, sorted by protocol, source address, destination address, other packet header data
  • Error counts on all network interfaces Other network data
  • Service initiation requests
  • Name of the user or host requesting the service
  • Network traffic (packet headers)
  • Successful connections and connection attempts (protocol, port, source, destination, time)
  • Connection duration
  • Connection flow (sequence of packets from initiation to termination)
  • States associated with network interfaces (up, down)
  • Network sockets currently open
  • Whether a network interface card is in promiscuous mode
  • Network probes and scans
  • Results of administrator probes
System performance
  • Total resource use over time (CPU, memory [used, free], disk [used, free])
  • Status and errors reported by systems and hardware devices
  • Changes in system status, including shutdowns and restarts
  • File system status (where mounted, free space by partition, open files, biggest file) over time and at specific times
  • File system warnings (low free space, too many open files, file exceeding allocated size)
  • Disk counters (input/output, queue lengths) over time and at specific times
  • Hardware availability (modems, network interface cards, memory)
Other system data
  • Actions requiring special privileges
  • Successful and failed logins
  • Modem activities
  • Presence of new services and devices
  • Configuration of resources and devices
  • System call data
Process performance
  • Amount of resources used (CPU, memory, disk, time) by specific processes over time; top "x" resource-consuming processes
  • System and user processes and services executing at any given time
Other process data
  • User executing the process
  • Process startup time, arguments, filenames
  • Process exit status, time, duration, resources consumed
  • Means by which each process is normally initiated (administrator, other users, other programs or processes), with what authorization and privileges
  • Devices used by specific processes
  • Files currently open by specific processes
Files and directories
  • List of files, directories, attributes
  • Cryptographic checksums for all files and directories
  • Accesses (open, create, modify, execute, delete), time, date
  • Changes to sizes, contents, protections, types, locations
  • Changes to access control lists on system tools
  • Additions and deletions of files and directories
  • Results of virus scans
  • Login/logout information (location, time): successful attempts, failed attempts, attempted logins to privileged accounts
  • Login/logout information on remote access servers that appears in modem logs
  • Changes in user identity
  • Changes in authentication status, such as enabling privileges
  • Failed attempts to access restricted information (such as password files)
  • Keystroke monitoring logs
  • Violations of user quotas
  • Application-specific and services-specific information such as network traffic (packet content), mail logs, FTP logs, web server
  • Logs: Modem logs, firewall logs, SNMP logs, DNS logs, intrusion-detection system logs, database management system logs
  • Services-specific information could include FTP requests (files transferred and connection statistics); web requests (pages accessed, credentials of the requestor, connection statistics, user requests over time, which pages are most requested, and who is requesting them); mail requests (sender, receiver, size, and tracing information; for a mail server, number of messages over time, number of queued messages); DNS requests (questions, answers, zone transfers); for a filesystem server, file transfers over time; for a database server, transactions over time
Log files
  • Results of scanning, filtering, and reducing log file contents
  • Checks for log file consistency (increasing file size over time; use of consecutive, increasing time stamps with no gaps)
  • Results of vulnerability scans (presence of known vulnerabilities)
  • Vulnerability patch logging

To read about the details of these network characteristics click over to InformIT to read the rest of the article. Registration is required, but it's free.

This was last published in May 2002

Dig Deeper on Microsoft Windows Data Backup and Protection

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.