Traffic Profiling

Philipp E. Letschert phil at uni-koblenz.de
Fri Feb 2 07:06:24 EST 2007


On Thu, Feb 01, 2007 at 11:29:15AM -0700, twebster at blackhillscorp.com wrote:
> I am currently in the process of an internal firewall implementation.  I 
> will be implementing firewalls on all of our internal server networks.  I 
> find the most difficult part of this project is simple "data management".  
> How do I easily create server/port documentation so that I can correctly 
> write firewall rules for each and every server.   I need to know 
> source/destination ip address and destination port/protocol for every 
> server.  Since we do not currently have one central repository documenting 
> every server, I am going to need to perform network reconnaissance and 
> traffic analysis on each network.
> 
> To begin this process, I intend to use our current Argus archive to 
> profile traffic to/from our server network.  I need to develop a method to 
> query Argus for each individual IP address that is currently in use and 
> document the port/protocol utilization for each address. 
> 
> Now, we are using Argus 3.0 and I have written several useful queries that 
> give me the information I need, e.g. saddr, daddr, dport, bytes.  The 
> problem I face, is how do I make this "easier".  Do I need to script and 
> automate some of these queries?  Should I export this data into a database 
> for other types of queries? 

You will need some additional scripting to generate a helpful result on the
port and destination usage of individual addresses. A database might be helpful,
but is not neccessarily needed.

> 1.  Knowing that others have used Argus to profile networks, what methods 
> work?  Did you develop any scripts to automate the process?

I guess most users have developed some scripts for working with their data,
but these are most-likely for very specific purposes. I'm afraid you have to
create on your own. But this is an interesting topic for me, unfortunately
I dont have a ready to use script yet...

> 2.  Are there current methods for importing Argus results into a database? 

None, that I know of, I'm thinking on database support for the ArgusEye GUI,
but this is somewhere in the future...

> 3. Also, is xml an option, does raxml still exist for Argus 3.

XML is not very useful for large data sets, this is probably the reason
why raxml dropped from 3.x?

> 4.  Any additional suggestions how to go about managing the documentation 
> and organization of this data?

One important suggestion:

Automatically generating firewall rules from existing traffic is always a
*bad* idea. If your purpose is getting things working, just set your rules
on allow all. If your purpose is security there is no other way, as evaluating
each host (or maybe ranges of hosts with same usage e.g. workstations)
manually. From the recorded traffic you can then check if your rules work (e.g.
no traffic occurs that is not allowed) but not the other way round.

But of course an automatically generated list can help you in evaluating
if and *why* certain traffic is needed for a specific host.


Regards, Philipp



More information about the argus mailing list