Main Navigation
Subnavigation Area
About Us > Know-How
PREMIER KNOW-HOW
New York, NY June 16, 2009
Security Monitoring
contributed by Kie Tung
As organizations become more and more dependent on the Internet for critical aspects of their business, the need to secure and understand the activity occurring at the perimeter and within the private network becomes ever more important. Nearly all organizations that are connected to the Internet are secured by some type of firewall. This provides a critical layer of defense against unauthorized access and attacks from the Public Internet. Nearly all firewalls provide some sort of logging mechanism, with many using the Syslog standard; each vendor in turn specifying their own IDs and associated text to indicate informational, warning, or error messages. However, many organizations are either not logging this activity or are not able to effectively review their logs, as the logfiles can often grow tremendously in a short period of time depending on the amount of activity.
The syslog daemon/service will receive syslog messages sent by network devices and write the messages to a text file. This allows a reactive approach to identifying potential issues. Users or administrators might notice that something is wrong, and then administrators could go back to review the logs and identify where the issue may lie. A more proactive approach would involve a process that automatically parses the syslog messages and sends a real time alert, should predefined criteria be met. In this proactive scenario, administrators can define what is important to them and be notified should these events occur.
Some of the challenges include defining the criteria that will determine when an alert should be sent and actually sending out the alert. Since the syslog IDs are vendor specific, a separate set of criteria should be created for each set of vendor devices. Using Cisco as an example, there are over 1,000+ unique syslog IDs for their PIX/ASA product line. A set of important/critical IDs should be identified based on the vendor recommendations and industry best practices. This is a process that should be evaluated and updated as device operating systems evolve. The second half of the challenge is being able to reliably send out an alert via email, SMS, etc., as events occur, yet not send out an alert each time an event occurs. It wouldn't make sense for an alert to be sent out each time an ACL denies a packet, but rather to send out an alert if there are excessive drops on a particular ACL. This can be accomplished by setting a threshold value and a timer value between alerts. No one wants to sift through hundreds of alerts to find the few that are meaningful.
Another set of challenges include the ability to run custom reports, maintain historical data, and perform trend analysis off of the collection of syslog messages. For example, how many times in the past 6 months has an unknown IP address attempted to manage the firewall via SSH (Secure Shell)? Or, how many severity 2 messages have been generated in the past week? Being able to run reports against the logs is a huge benefit, especially if network security is audited. This can be readily achieved if the events are imported into a database and standardized reports are created to be able to run off the database. Lastly, don't forget to back up the database!
Premier has developed software that overcomes these challenges and builds upon the traditional syslog methodology. We import syslog messages written to file to an SQL database in real time. We are then able to run queries and reports against the database, which can then be exported to word, pdf, excel, or other document formats. We have also identified a set of important IDs and designed a fully customizable interface to allow an administrator to set the criticality and alert structure for the IDs. Other features include, but are not limited to, daily, weekly, and monthly standardized reports; dashboard interface; network device up/down status; and RSS feeds.
This combination of features allows the security team within a firm to quickly react to reported issues, maintain trend and incident information for outside auditors, and provides flexibility to adapt the system as threats change and new technology is introduced.
OFFICE CONTACT INFO
- New York City
- 232 Madison Avenue
- New York, NY 10016
- p: 212.576.1600
- f: 212.679.7355
- Washington D.C.
- 1101 Pennsylvania Avenue NW
- 6th Floor
- Washington, DC 20004
- p: 202.742.6769
- Dallas
- 13455 Noel Road
- Suite 1000
- Dallas, TX 75240
- p: 972.778.8228
- f: 972.851.7868
- San Francisco
- One Market Street
- Spear Tower, Suite 3600
- San Francisco, CA 94105
- p: 415.293.8022
- info@premiertechnology.com