Friday, February 27, 2009

Alice heads West

We have a series of meetings scheduled next week in Dublin, so I will likely be talk, talk, talking instead of write, write, writing. (Well, truthfully it should be list, list, listening...but there we are.)

The second tip in the series of "How to survive a network attack" comes to you today from the OCLC security team:

Have visibility into the problem.

A key to identifying and recovering from a denial of service condition is being able to quickly and accurately determine its causes. Here are some utilities that you will want to configure in advance, in order to properly prepare for an attack:

* Web server logging: Web server logs are often the best source of information for determining the source of the attack, since they usually contain the client IP address.

* Network connection data: If your network devices don’t already log basic information about all network traffic, you may want to deploy a network auditing tool such as Argus . Argus logs contain the time, source IP address, destination IP address, and traffic characteristics such as protocol and port for the traffic that Argus is inspecting.

* Intrusion detection: Early detection of the problem is critical. Intrusion detection systems like Snort can be configured to send you alerts in the event of behavior that has the characteristics of an attack.

* Log analysis tools: Regardless of the type of logs, you’ll need to search and analyze them quickly. You may want to have a system with a utility like Splunk ready to go before a problem hits.

Wow, with names like Argus, Snort and Splunk, you'll be more secure in no time.

No comments: