Performance analysis of network based forensic systems for in-line and out-of-line detection and logging.
Graves, Jamie; Buchanan, William J; Saliou, Lionel; Old, L John
Prof Bill Buchanan B.Buchanan@napier.ac.uk
L John Old
Network based forensic investigations often rely on data provided by properly configured network- based devices. The logs from interconnected devices such as routers, servers and Intrusion Detection Systems (IDSs) can yield important information, which can be used during an investigation to piece together the events of a security incident. A device, such as a router, which performs its intended duties as well as logging tasks, can be defined as having in-line logging capabilities. A system that only performs these duties, such as an IDS, can be described as an out-of-line logging system.
The usefulness of these logs, though, must be compared against the impact that they have on the systems that produce them. It is thus possible to introduce a detrimental burden on inline devices. This can thus reduce the capability of the device to provide core functionality, and, the extra evidence generated could place an increased burden on the forensic investigator. Therefore, when configuring network devices, the security practitioner is the key to producing a careful balance between security, performance and generated data volume.
This paper outlines an intensive experiment to compare and contrast different logging schemes. These tests are placed within the scenario of a forensic investigation, which involves extensive data logging and analysis. The metrics compare CPU utilisation, bandwidth usage, memory buffers, usefulness of these records to the investigation, and so on. The two logging systems examined are the Cisco 20x series based routers, for in-line logging capabilities with Syslog, and the IDS Snort for out-of-line logging. This work provides an empirical perspective by plotting the footprint that this logging scheme has on the core network infrastructure, thus providing a proposed optimal logging approach for a network, along with the comparative merits of in-line and out-of-line auditing systems.
Graves, J., Buchanan, W. J., Saliou, L., & Old, L. J. (2006). Performance analysis of network based forensic systems for in-line and out-of-line detection and logging.
|Conference Name||5th European Conference on Information Warfare and Security (ECIW)|
|Start Date||Jun 1, 2006|
|End Date||Jun 2, 2006|
|Publication Date||Jun 1, 2006|
|Deposit Date||Jul 22, 2008|
|Publicly Available Date||Jul 22, 2008|
|Peer Reviewed||Peer Reviewed|
|Keywords||Logging; Digital forensics; Network management; Network performance; Intrusion detection;|
Publisher Licence URL
You might also like
Agent-based forensic investigations with an integrated framework.
Novel Framework for Automated Security Abstraction, Modelling, Implementation and Verification
Analysis of Firewall Performance Variation to Identify the Limits of Automated Network Reconfigurations.
Scenario Analysis using Out-of-line Firewall Evaluation Framework.