3

I have a small business network consisting of ca. 15 devices, a few switches and a two routers. Recently it occurred to me that all the security measures I have been doing are not very productive: I either block some ports (or to be more specific, all ports except a few) or monitor retro-actively what is happening in the network.

For example, I have a NAS device which normally does not have any communication with Internet. I'm the only one who logs into it (which I could also confirm from the server logs). However, using the traffic monitoring tools in my Ubiquiti EdgeRouter Lite I could see that the device had SSL communication with something/someone somewhere. Because I have not any permanent traffic sniffing, I have no idea or way to find out why or with whom this happened.

Is there a solution doable for a small business to handle these kind of situations better, e.g. setting some usual behavior patterns for network devices and start monitoring them and creating alerts when the observed behavior deviates from the assumed usual patterns? For example, I would like to specify that if the server at 192.168.199.100 communicates with any device in Internet, I should receive an email, or if the server at 192.168.199.101 uses any protocol except FTP with a server outside of a specific country it should be blocked from communicating with Internet.

simon
  • 133
  • 4

1 Answers1

1

I think it is doable for a small business provided someone can spend a chunk of time setting up a free tool with the rules you need for your environment (I'm thinking of Snort). I see that you are a developer from your reputation on SO, so I assume there is someone who can do that. It is just a matter of spending the time getting the tool in place and writing the rules (and keeping them updated and responding to alerts).

That said, Snort will do exactly what you want. It has real-time alerting that can send emails and block unwanted traffic. Snort rulesets are often the basis for other Intrusion Detection / Prevent systems.

A good example of the work you might be doing is revealed in these questions: https://serverfault.com/questions/255843/custom-rules-for-snort

https://serverfault.com/questions/703559/how-can-i-put-snort-in-front-of-nginx-server

https://superuser.com/questions/930742/are-these-snort-rules-redundant

Community
  • 1
mcgyver5
  • 6,807
  • 2
  • 24
  • 45