Graves, Jamie, Buchanan, William J, Saliou, Lionel and Old, L John (2006) Performance analysis of network based forensic systems for in-line and out-of-line detection and logging. In: 5th European Conference on Information Warfare and Security (ECIW), 1st-2nd June 2006, National Defense College, Helsinki, Finland.
Available under License Creative Commons Attribution Non-commercial.
Network based forensic investigations often rely on data provided by properly configured network- based devices. The logs from interconnected devices such as routers, servers and Intrusion Detection Systems (IDSs) can yield important information, which can be used during an investigation to piece together the events of a security incident. A device, such as a router, which performs its intended duties as well as logging tasks, can be defined as having in-line logging capabilities. A system that only performs these duties, such as an IDS, can be described as an out-of-line logging system.
The usefulness of these logs, though, must be compared against the impact that they have on the systems that produce them. It is thus possible to introduce a detrimental burden on inline devices. This can thus reduce the capability of the device to provide core functionality, and, the extra evidence generated could place an increased burden on the forensic investigator. Therefore, when configuring network devices, the security practitioner is the key to producing a careful balance between security, performance and generated data volume.
This paper outlines an intensive experiment to compare and contrast different logging schemes. These tests are placed within the scenario of a forensic investigation, which involves extensive data logging and analysis. The metrics compare CPU utilisation, bandwidth usage, memory buffers, usefulness of these records to the investigation, and so on. The two logging systems examined are the Cisco 20x series based routers, for in-line logging capabilities with Syslog, and the IDS Snort for out-of-line logging. This work provides an empirical perspective by plotting the footprint that this logging scheme has on the core network infrastructure, thus providing a proposed optimal logging approach for a network, along with the comparative merits of in-line and out-of-line auditing systems.
|Item Type:||Conference or Workshop Item (Paper)|
|Additional Information:||Remenyi, D. (ed.). Proceedings of the 5th European Conference on Information Warfare and Security ECIW 2006. Reading, Kidmore End: Academic Conferences, 1st June 2006. ISBN 1905305206 & ISBN13 9781905305209. 281p.|
|Uncontrolled Keywords:||Logging; Digital forensics; Network management; Network performance; Intrusion detection;|
|University Divisions/Research Centres:||Faculty of Engineering, Computing and Creative Industries > School of Computing|
|Dewey Decimal Subjects:||000 Computer science, information & general works > 000 Computer science, knowledge & systems > 005 Computer programming, programs & data
000 Computer science, information & general works > 000 Computer science, knowledge & systems > 005 Computer programming, programs & data > 005.8 Data security
|Library of Congress Subjects:||Q Science > QA Mathematics > QA76 Computer software|
|Depositing User:||RAE Import|
|Date Deposited:||22 Jul 2008 10:21|
|Last Modified:||18 Jun 2012 13:15|
Actions (login required)
Downloads per month over past year