Even though the addresses are randomized to protect real systems, I feel more of us, in the industry, when writing need to use the three TEST-NET blocks. I’d much see better adoption of RFC 5737, which contains three netblocks for use in documentation ]. In Applied Network Security Monitoring’s case, the IP addresses are randomized in the book and screenshots. One thing I’m disappointed about, and I do go on a soapbox occasionally, is IP Addresses in written text. Smith brought back up the concept and approach of NSM’s three primary sections. I’m also a fan of Chris Sander’s book Practical Packet Analysis. I’m a fan of Counter Hack Reloaded by Ed Skodus and Tom Liston. Some of the books listed in the preface for reference were really good. TCP/IP networking, Packet Analysis, attack techniques. The book does have some base knowledge that is required. Whatever controls are put in place to make the system less vulnerable, at some point, someone will come along and be skilled enough to get past the controls. The expectation is set at the beginning, “prevention eventually fails.” This phrase is something that I’ve believed my whole career in security.
#Applied network analysis definition mac#
I didn’t care that the switch ports were going up and down, as long as the MAC address wasn’t changing. For an example of know and didn’t care about: at a previous job, I was collecting the logs on my network switches.
Understand what they are doing, and if they are things you don’t care about, tune them out and look at the rest. Poor said to start with what you know in the logs. They come from the systems that will be interacted with by a threat (actor or group). The logs hold the data you’re looking for about breaches. The third one gives an idea of the possible attack surface based on actual usage. The second is about efficiency, smaller log size while having better network communications, and containing operational expense. Logs should be reviewed for three reasons at least I copied three reasons down in my notes.Įach could be their own blog post, but all three tie directly to cyber security. I also liked the point he made about reviewing logs. Poor points out the last step analysis is often skipped. I did like that in the Forward Mike Poor pointed out right up front the NSM cycle of collect, detect, and analyze. My thoughts and notes walking the Forward: I have parts of my network isolated, but I wouldn’t call that a lab. As I said in the past, I no longer maintain a home lab due to cost and space. Note: I say my home network, not my home lab. Most of the entries are tracking related that the Pi-Hole isn’t blocking and is getting to the second block list on the firewall. Right now, I have a log of blocked domain alerts in my PFSense Firewall’s PFBlocker-NG reports screen. I occasionally check the logs but think I would be more active if I had a centralized tool to help. The end goal is to brush up on Network Security Monitoring (NSM) and use it to better monitor my home network. Back in December, it really doesn’t feel that long ago, I talked about how I was prepping for a project.