One of the best moves you can make to detect security threats is to monitor unusual network traffic connections.Not every server needs to connect to every other server or even every workstation. Most workstations don\u2019t connect to other workstations -- or to every server. In a perfect world, every server and workstation would be able to connect to the computers they're supposed to connect to, period. Anything else would be flagged as abnormal.Those who launch APTs (advanced persistent threats) and other malicious hacks usually don\u2019t know what these normal network flows are. They connect from the first compromised workstation or server to the next jumping-off point, regardless of normal or authorized traffic flows. Want to "detect the undetectable\u201d? Then detect new, unauthorized traffic flows.Unfortunately, this is a difficult task. Most companies lack a good understanding -- any understanding at all, for that matter -- of what should be connected to what. If you don\u2019t understand what should be allowed, it\u2019s hard to detect what\u2019s abnormal. At the very least, you should create a diagram or spreadsheet documenting what should be allowed -- and include examples of connections that shouldn't happen.The other problem is that perfect monitoring tool for network traffic flows -- to my knowledge -- doesn't exist. My perfect tool would:Monitor and document existing network traffic flows between all endpointsPut them in an understandable screen of information for reviewLet network admins define which network traffic flows are or aren\u2019t legitimate (this step would take a lot of research in most organizations)Let admins define alerts for unauthorized or new informationAssign criticality to different network domains or connection typesMonitoring IP-address-to-IP-address traffic would be enough for me, but bonus points if the tool monitored port-level information (TCP port 80, UDP 53, and so on).Early on I used simple network traffic monitor\/packet analyzers like Wireshark to map network traffic. These network monitoring tools often have traffic flow maps that show what's connecting to what. But you\u2019d have to run sensors on every endpoint and then bring the data together for analysis. It would be "analysis paralysis" for most organizations; plus, creating alerts would be problematic.InfoWorld recently published an awesome overview of open source network tools: Nagios, Icinga, NeDi, and Observium. Each tool is part of the solution, but not enough. Some fail due to missing features. Some have tracking and monitoring, but lack alerting. Some have alerting, but they're not good at discovery. Others aren\u2019t enterprise-ready.Lately, I\u2019ve seen customers employ an interesting commercial tool: Tufin\u2019s SecureTrack. It's almost perfect. It's designed to track, manage, and optimize traffic rules (on firewalls, routers, load balancers, and so on). It reads the devices, collects the rules, analyzes, and suggests optimizations. It has an awesome graphical view of which networks (and other logically defined connection boundaries) can and can\u2019t communicate with each other. On one screen you can easily see what boundaries can talk to what. It\u2019s easy to see the intersections and pick out the networks and boundaries that really have no reason to talk to each other. It will even send prioritized alerts when a rule set breaks a connection pathway policy.Only one feature is missing from Tufin SecureTrack: It doesn\u2019t monitor individual endpoints. If I could merge it with a protocol analyzer or endpoint collector, it would be perfect.What are your favorite network monitoring tools? Have you encountered anything that meets all my criteria? If so, let us all know about it in the comments.