Protocol analyzers: Dos and don'ts

May 24, 2011 — CSO —

As with any tool, protocol analyzers need skilled implementation. Here is advice from the front lines.

Read more in the companion article Protocol analyzers: How to choose and use them (no registration is required).

DO make sure you have the right expertise on your network operations and security teams to make effective use of protocol analysis tools to troubleshoot network problems, tune firewalls and other security devices, and investigate the cause of attacks on the enterprise.

In a large organization, chances are there are IT people with the right credentials to make effective use of these tools, but they are thin on the ground. "A lot of network admins would be stunned by what they see in Wireshark," says Opus One's Joel Snyder. Generally, look for experienced network engineers or security personnel with a strong hands-on background configuring network firewalls and intrusion-protection systems.

May 24, 2011 — CSO —

As with any tool, protocol analyzers need skilled implementation. Here is advice from the front lines.

Read more in the companion article Protocol analyzers: How to choose and use them (no registration is required).

DO make sure you have the right expertise on your network operations and security teams to make effective use of protocol analysis tools to troubleshoot network problems, tune firewalls and other security devices, and investigate the cause of attacks on the enterprise.

In a large organization, chances are there are IT people with the right credentials to make effective use of these tools, but they are thin on the ground. "A lot of network admins would be stunned by what they see in Wireshark," says Opus One's Joel Snyder. Generally, look for experienced network engineers or security personnel with a strong hands-on background configuring network firewalls and intrusion-protection systems.

Your tech folks should have a thorough understanding of protocols and how they work, so they can quickly examine the packet captures, determine where the issues are and remediate them. Experienced pros can apply this knowledge to security and application issues as well as network operations.

"What you really need is someone who is pretty well rounded—think of the OSI model," says Mike Chapple, senior adviser to the executive vice president at the University of Notre Dame. IT people are often specialists: programmers who specialize in the application layer or network operations staff who know network and transport layers, for example.

"If you're troubleshooting, you have to very quickly and agilely navigate up and down the protocol stack, from the physical layer straight up the application layer," he says.

If you don't have sufficient expertise with protocol analysis to cover your IT operations effectively, consider bringing in consultants, especially for major projects that involve introducing new services or for forensics after a major security incident.

DO invest in enterprise versions of protocol analyzers or higher-level monitoring and analysis products in a large, distributed environment in which your analyzer jockeys are thin on the ground.

"The skill gap is increasing, and there's a big shift from the scenario in which you arm techs with protocol analyzers and parachute them into remote offices," says NetScout's Shalita.

Enterprise-caliber appliances allow you to capture and store traffic data across your networks, perform at least some automated analysis, and troubleshoot from anywhere in the enterprise. Your networks are big, fast and complex. Make the most of your available personnel to keep your networks and applications running smoothly with minimal disruption.