TCP Metrics Report

Monitoring of TCP network connection statistics assist in evaluating applications use of ports relevant to network security. TCP is used broadly by many applications available by internet, including most notably the World Wide Web, E-mail, File Transfer Protocol, Secure Shell, peer-to-peer file sharing, and streaming media applications. This report provides analysts with detailed statistics for TCP port usage.

TCP manages the fragmentation of messages or files into smaller packets that can be transmitted across the internet and reassembled at their destination. TCP relies on Internet Protocol (IP) for transmission and is often referred to as TCP/IP. TCP provides a communication service at an intermediate level between an application program and the Internet Protocol. TCP is a connection-oriented protocol, which means a connection is established and maintained until the applications at each end have finished exchanging messages. However, TCP protocols lack basic mechanisms for security, such as authentication or encryption.

This report provides analysts with detailed statistics for TCP port usage. A chapter is dedicated to port usage statistics by utilizing different analytical tools and filtering methods from Tenable. Analysts are provided a broad view of TCP activity by utilizing each product that results in a clear picture of all TCP activity monitoring efficiency and security.

The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring.

The report requirements are:

• SecurityCenter 5.5
• Nessus 6.10.8
• Nessus Network Monitor 5.3.0
• LCE 5.0.1
• TenableNetFlowMonitor 
• TenableNetworkMonitor

Note:  For efficiency, the report results have been limited to first ten results. The number of results or the iterator filter can be modified based on your organizational requirements. 

Tenable SecurityCenter Continuous View® (SecurityCenter CV™) provides continuous network monitoring, vulnerability identification and security monitoring. SecurityCenter CV is continuously updated with information about advanced threats, zero-day vulnerabilities and new types of regulatory compliance configuration audit files. Tenable constantly analyzes information from our unique sensors, delivering continuous visibility and critical context, and enabling decisive action that transforms a security program from reactive to proactive. Active scanning periodically examines the applications on the systems, the running processes and services, web applications, and configuration settings. With these tools, analysts can better analyze TCP metrics with hosts communication in the environment. Tenable enables powerful, yet non-disruptive, continuous monitoring that will provide organizations with the information needed to reduce risk within the enterprise.

This report contains the following chapters:

Open Port Summary:  The Open Port Summary chapter presents the output from the “netstat” command using the Netstat Portscanner SSH plugin ID 14272.  Additionally, for Windows computers, the process information is also included by using the Netstat Portscanner plugin ID 34220. The data in this chapter provides statistical data for systems and the TCP ports on which they are listening.

TCP Trusted Client Connections:  This chapter uses the Nessus Network Monitor plugin 3, 'Internal client trusted connection' to report connections from clients to servers on various ports. Information displayed provides analysts with detailed statistics of ports and the trusted host connection established.

TCP Trusted Server Connection:  This chapter uses the Nessus Network Monitor plugin 15, 'Internal server trusted connection' to report connections from servers to clients on various ports. This information assists analysts with port statistics that are common across the network.

Outbound External Connections:  This chapter uses the Nessus Network Monitor plugin 16, 'Outbound external connection' to report connections from clients to external servers on various ports. This information assists analysts with port statistics that are common across the network.

Tenable Network Monitor (TNM):  The data in this chapter displays the statistical port usage data collected using the TNM.  The TNM is designed to monitor network traffic and send session information to the LCE server. 

Tenable NetFlow Monitor (TFM):  The Tenable NetFlow Monitor chapter displays the statistical port usage data collected using the TFM.  The TFM client takes advantage of the ability in most modern routers to use the NetFlow protocol to send network session statistics to remote collectors for processing and reporting.