текст для контрольного чтения и перевода

(на всякий случай, если кто-нибудь не скопировал)
Network Forensics Analysis
A network’s physical layer is deceptively quiet. Hub lights blink in response to network traffic, but do little to convey the range of information that the network carries. Analysis of the individual traffic flows and their content is essential to a complete understanding of network usage. Many tools let you view traffic in real time, but real-time monitoring at any level requires significant human and hardware resources, and doesn’t scale to networks larger than a single workgroup. It is generally more practical to archive all traffic and analyze subsets as necessary. This process is known as reconstructive traffic analysis, or network forensics.1 In practice, it is often limited to data collection and packetlevel inspection; however, a network forensics analysis tool (NFAT) can provide a richer view of the data collected, allowing you to inspect the traffic from further up the protocol stack.

The IT industry’s ever-growing concern with security is the primary motivation for network forensics. A network that has been prepared for forensic analysis is easy to monitor, and security vulnerabilities and configuration problems can be conveniently identified. It also allows the best possible analysis of security violations. Most importantly, analyzing a complete record of your network traffic with the appropriate reconstructive tools provides context for other breach-related events. For example, if your analysis detects a user account and its Pretty Good Privacy (PGP, www.pgp.com/index.php) keys being compromised, good practice requires you to review all subsequent activity by that user, or involving those keys.

Given that firewalls and intrusion-detection systems (IDSs) are well-established tools for network security, what is NFAT’s role? Will it replace these tools or complement them? A typical IDS attempts to detect activity that violates an organization’s security policy by implementing a set of rules describing preconfigured patterns of interest. These rules are both a strength and a weakness: An IDS can detect certain incidents reliably, but no rule set can detect all possible intrusions. A typical firewall allows or disallows traffic to or from specific networks, machine addresses, and port numbers, but protocols that circumvent portbased security are increasingly common. Consider Yahoo Messenger (www.venkydude.com/ articles/yahoo.htm), which will move to port 23 (well known as the Telnet3 port) if its default port (5050) is blocked. Thus, it could circumvent a firewall’s block of port 5050. An NFAT, on the other hand, would identify the connection on port 23 as Yahoo Messenger by its content. An NFAT synergizes with IDSes and firewalls in two ways: It preserves a long-term record of network traffic, and it allows quick analysis of trouble spots identified by the other two tools. Access to an NFAT lets you decide what traffic is of interest post hoc (for example, the last two weeks’ worth of e-mail sent by an employee who has disappeared and whose machine has been wiped clean) and to analyze that traffic quickly and efficiently.

As an essential complement to existing security systems, an NFAT must perform three tasks well. It must capture network traffic; it must analyze the traffic according to the user’s needs; and it must let system users discover useful and interesting things about the analyzed traffic.