I have a small business network consisting of ca. 15 devices, a few switches and a two routers. Recently it occurred to me that all the security measures I have been doing are not very productive: I either block some ports (or to be more specific, all ports except a few) or monitor retro-actively what is happening in the network.
For example, I have a NAS device which normally does not have any communication with Internet. I'm the only one who logs into it (which I could also confirm from the server logs). However, using the traffic monitoring tools in my Ubiquiti EdgeRouter Lite I could see that the device had SSL communication with something/someone somewhere. Because I have not any permanent traffic sniffing, I have no idea or way to find out why or with whom this happened.
Is there a solution doable for a small business to handle these kind of situations better, e.g. setting some usual behavior patterns for network devices and start monitoring them and creating alerts when the observed behavior deviates from the assumed usual patterns? For example, I would like to specify that if the server at 192.168.199.100 communicates with any device in Internet, I should receive an email, or if the server at 192.168.199.101 uses any protocol except FTP with a server outside of a specific country it should be blocked from communicating with Internet.