Cyber Security Graduate School
Training
Certification
Internet Storm Center
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software SecurityLeadership Lab: Audit and Governance
This series includes essays on security audit and governance. Tone at the top is a crucial aspect of leadership. However, our primary repository for audit information is the SANS audit blog: http://blogs.sans.org/it-audit/
View Archives »
- Applied Intelligence Analysis of Networks - Jun 16th, 2008
Applied Intelligence Analysis of Networks
Jun 16th, 2008
By Richard Porter
1. Traffic Analysis Concept
1.1 Observe Orient Decide Act
Concepts of operation can sometimes be problematic when
technologists get caught up in the technology. Here we will examine an
Information Operations concept that will provide an action model.
This model was crafted by one of the finest fighter pilots in the world who remained undefeated in aerial combat.
"Col. John Boyd, U.S. Air Force fighter pilot ace, developed the
concept of the OODA Loop to describe the process needed to win at war.
This model matured as he won aerial dogfights in Korea and Viet Nam and
later used it to describe how to gain a competitive advantage in any
situation. Recently, the OODA loop has begun to be applied to business
and product development as a way to describe their decision-making
cycles. In these situations, the loop often gets stuck at the D and the
team is reduced to making a sound like OO-OO-OO. The OODA loop is a
succinct representation of the natural decision cycle seen in every
context: war, business, product development, or life."
[Figure 1.1]
This concept brings forth a mindset that can apply to any situation. In
this case we are going to examine traffic control and "Act"
capabilities to provide better Quality of Service to traffic.
1.1.1 OODA: Observe
In order to understand what "Act" actions that need to be take, it is important to understand observation capabilities.
We have several methods of observation at our disposal. The Simple
Network Management Protocol is used in many tools associated with
observation. Using SNMP Traps and a common logging system we increased
our visibility into the network. For the purpose of this conceptual
examination we will remain within those two observation tools and
protocols.
SNMP provides trap capabilities that can report to central logging
systems. With this information you are provided with some level of
visibility into network activity. Observation can be achieved with
enough information to move to the next phase of the loop.
Syslog provides system level logging and some network activity
information. This information can also provide information in movement
to the next Phase.
With these two tools it is, with some research, possible to
automatically observe certain "Act" conditions. Using the OODA model it
would be possible to automate the loop process with reporting to
Administrators. This reporting would allow operators to interrupt the
loop when needed.
1.1.2 OODA: Orient
As applied to network traffic management, this phase would be analysis
of the information provided from the observation phase. Using our two
example methods of observation information gathering, SNMP and Syslog,
we can orient ourselves as to what behavior is occurring.
Is the behavior normal? Has something occurred in the loop process that
is not normal? In this case we are using Quality of Service as the
primary driver for the model. Our orientation, in this example, is that
a customer is regularly bursting beyond their bandwidth negotiated. The
customer may not be aware of the network behavior change and will
likely report an outage as packets begin to drop.
If we plug into the OODA loop model, with utilization of automated
tools, it will be possible to move into decide and "act" phases.
1.1.3 OODA: Decide
The below model takes Col. Boyd’s loop and applies to business.
In the diagram we can see that the Decide block includes "Managing
Deliberation" and "Fusing Information" (Ullman 2007). Above we
"Observe" the flow of "Implicit Guidance and Control" (Ullman 2007). We
can conclude that, in the world of network management, this would be
customer service policies or service level agreements.
[Figure 1.1.3]
Taking the information that we have received through the different
phase a decision can be made. In the case of a bursting customer,
several actions can be proactively taken.
1.1.4 OODA: Act
At the completion of the first loop we "Act". This action, in the case of our bursting customer can be several actions.
With automated systems in place, it is possible to notify, proactively,
the customer. Actions could also include notification of an
operator for manual loop intervention. If service level agreements are
in-place it may also be possible to automatically, and temporarily,
increase bandwidth to the customer.
Keeping through the loop this temporary increase can be trended and
continually acted upon. If the customer is continually using more
bandwidth, this could plug into your business model in offering
customers up a different service level agreement.
2. References
Dr. David G. Ullman (2007) "OO-OO-OO!" The Sound of a Broken OODA Loop.
The Journal of Software Engineering. Retrieved 24 Feb 2008 from: http://www.stsc.hill.af.mil/CrossTalk/2007/04/0704Ullman.html
W. R. Stevens (2005) TCP/IP illustrated, Volume 1. Pages 2-4.Addison Wesley.
D. E. Comer (2006) Internetworking With TCP/IP, Volume I, Fifth Edition. Page 363. Pearson Prentice Hall.
======
Submitted by Richard Porter, rwporter@gmail.com
