Secospace elog. Secospace elog

Transcription

1 Secospace elog

2 Product Overview With the development of networks, security events continually occur on hosts, databases, and Web servers. These range from Trojans, worms, and SQL injections, to Web page or data tampering by staff. How can we detect these events? How can we investigate them and collect evidence? The information age has arrived. As the information technology strengthens, application systems (service systems, operating systems, databases, and Web servers), security devices (firewalls, UTM, IPS, IDS, VPN, DPI, and AV), and network devices (routers, switches, and access devices) expand. A comprehensive and unified log management system is essential to manage the logs of all devices ranging across the network, system, and application layers. Based on current ICT trends, customer surveys, and problem collection and analysis, Huawei Symantec Technologies Co., Ltd. (hereinafter referred to as Huawei Symantec) has launched its high performance security auditing system. The Secospace elog is an intelligent log management and security auditing system providing excellent performance, reliability, security, and scalability. Its functions include: log collection, analysis, association, auditing, alarms, storage, queries, and reports. It is applicable to the security devices, network devices, operating systems, databases, and Web servers of Huawei, Huawei Symantec and other major vendors, including Cisco, Juniper, and Checkpoint. Product Features Unified log management for various devices Huawei & Huawei Symantec security devices (firewalls, UTM, IPS, IDS, VPN, and DPI), BRAS devices, routers, and switches Security devices, routers, and switches of major vendors, for example, Cisco, Juniper, and Checkpoint Operating systems (Windows, Linux, and Unix), databases (SQL Server, Oracle, DB2, Sybase, and Informix), and Web servers (IIS and Apache) Intelligent auditing technologies, which ensures the security for application systems Users can monitor security events by delivering auditing policies based on auditing templates for abnormal behaviors and risky operations. The system delivers association audit policies to a group of devices for associating all operations during user logins and logouts into a session. These are monitored and replayed to implement effective behavior audits. Effective user behavior monitoring, which helps identify intranet user behaviors and intrusions and attacks by extranet users Through off-line deployment for monitoring devices, the Secospace elog restores and audits for HTTP, FTP, Telnet, and database operations in real time. By interworking with Huawei Symantec UTM devices, the Secospace elog monitors applications such as AV software, blocking services, URL audits, audits, instant messages, stocks, games, and P2P. It effectively tracks the behaviors of network users, and monitors the behaviors of intranet users. Precise NAT log management, which meets the requirements of judicial or other auditing departments The Secospace elog provides NAT log management for firewalls, BRAS devices, and routers to help users with precise NAT tracking. This complies with laws and regulations and provides evidence for investigations by judicial or other

3 auditing departments. Customer-oriented and robust customization development, which supports high scalability and protects customer investment Based on customers' service characteristics and requirements, the Secospace elog provides is rapidly customizable to meet the functions required by customers or to support new device and log types. It analyzes the logs of new devices through online upgrades and provides a Web service interface (of NAT logs) for calling third-party programs. Precise log analysis showing device running status The Secospace elog provides the following log types: attack prevention, traffic monitoring, blacklisting, address binding, operation commands, firewall logins, packet filtering, and content filtering. It provides the following alarm types: firewall timeout, attack prevention, interface status and abnormal traffic, log levels, and keywords. These features reveal network threats. Robust statistical analysis and multidimensional reports, which complies with laws and regulations Through precise log analysis and statistics, the Secospace elog provides abundant reports from multiple dimensions such as the time, log type, flow, security feature, user, and legal compliance. This helps users obtain network flow information and attacks, understand network status, and manage logs for security and network devices. The solution outputs a series of legally compliant audit reports. Real-time and diversified alarm responses and excellent alarm management, which allow administrators to identify threats properly The Secospace elog provides , short message, audio, visual, and sound alarms. It timely detects the events that comply with alarm policies, promptly generates alarms, and generates alarm events. The administrator can monitor and query alarms online and precisely identify threats. Diversified log collection modes, which do not affect service systems The Secospace elog collects logs in Syslog, SNMP Trap, OPSec, FTP/SFTP, WMI, and JDBC modes. It uses proactive acquisition to collect logs for operating systems, databases, and servers without needing an agent program. User-friendly log query methods, which save time and improves work efficiency The Secospace elog provides online query and task query. Online query can instantly switch to task query. Complete security measures, which safeguard the system The Secospace elog secures and verifies log data to ensure log accuracy and integrity. Through role-based access control, it adopts the principle of power separation and HTTPS to ensure permission, access, and data transmission security. Meeting carrier-class reliability requirements Log collectors that adopt passive collection modes are configured in N to 1 backup mode. Switchover is supported in case a log collector fails, which prevents log losses. The Secospace elog provides a buffer mechanism to avoid data loss due to a short-term network failure. It records failures or abnormal status changes automatically. The system restarts automatically after a failure to ensure that normal operations are maintained. The solution also provides log backup and recovery. High log processing performance, which meets high-speed data flow requirements Up to EPS flow logs can be processed on average, peaking at EPS. Up to 8000 EPS text logs can be processed on average with a peak of 9500 EPS. Processing performance can be improved by adding a log collector.

4 Massive log storage capability, which meets log storage requirements The Secospace elog can connect to external disk arrays or cascading disk arrays to support massive log storage through mature storage solutions. Flexible deployment, which does not affect the existing network The Secospace elog provides centralized and distributed deployment and supports flexible deployment based on network architecture and customer requirements. Product Specifications The Secospace elog consists of log servers, log collectors, consoles, and probes. Firewall UTM Operating Systems IDS IPS VPN Router/BRAS Switch Databases Web server FTP/Telnet/HTTP probe Log Server console Component Description Log server Log collector Probe Console Audits event management, alarm management, report management, user management, and system management. Supported operating systems include Windows Server 2003 R2 Standard Edition SP2 and Windows XP Professional SP2. Performs log collection, classification, filtering, merging, alarms, and flow statistics. Supported operating systems include Windows Server 2003 R2 Standard Edition SP2 and Windows XP Professional SP2. Through network flow mirroring, the probe restores HTTP, FTP, and Telnet operations, and restores, monitors, and audits Oracle, Sybase, MS SQL Server, DB2, and Informix databases operations based on HTTP, FTP, and Telnet. The console accesses the Secospace elog through Microsoft Internet Explorer (6.x or above). The supported operating system is Windows XP Professional SP2.

5 Typical Deployment The Secospace elog is designed with distributed architecture and supports centralized and distributed deployment. Through flexible deployment, the Secospace elog meets customers' deployment requirements in different network environments. Centralized Deployment Distributed Deployment Probe Data Center Data Center Console Log Server Probe probe Console Log Server Centralized deployment Centralized deployment applies when managed devices are centralized and the network environment is simple. The centralized deployment of log servers, log collectors, and probes meets the log management and audit requirements of security devices, network devices, hosts, and databases. Distributed deployment Distributed deployment applies when managed devices are dispersed and the network environment is complex. Log collectors and probes are deployed in the dispersed device subnets that require log collection. The log collectors collect the processed logs to the log server for unified analysis and management.

6 Secospace elog The information contained in this document is for reference purpose only, do not constitute the warranty of any kind, experss or implied. It is subject to change or withdrawal according to specific customer requirements and conditions. All the trademarks, pictures, and brands mentioned in this document are the property of Huawei Symantec Technologies Co., Ltd or their respective holders. Copyright 2010 Huawei Symantec Technologies Co., Ltd. All rights reserved. Version No.: M V-1.0