Log Audit Ensuring Behavior Compliance Secoway elog System

Transcription

1 As organizations strengthen informatization construction, their application systems (service systems, operating systems, databases, and Web servers), security devices (firewalls and the UTM, IPS, IDS, VPN, DPI, and AV devices), and network devices (routers, switches, and access devices) expand continuously. It is urgent to set up a comprehensive and unified log management system for managing all logs covering the network layer, system layer, and application layer. Security incidents appear one after another on hosts, databases, and Web servers, such as backdoor Trojan horses, SQL injections, Web tampering, and internal data tampering. How to detect and tackle the security incidents? How to investigate the incidents and collect evidence? To help organizations address these concerns, Huawei Technologies Co., Ltd. (Huawei for short) launches a comprehensive log management and security audit system, namely, Secoway elog. Footmark Record Session Log Management The elog system collects, parses, and stores session logs (NAT logs) generated by firewalls, routers, and switches. It accurately traces the NAT process to provide evidence for investigation. Behavior Exposure Network Behavior Audit and Management The Secoway elog system collects live statistics and displays reports on various traffic such as basic traffic, application-specific traffic, interface-specific traffic, and P2P traffic. The Secoway elog system provides reports also on UTM features such as IPS, mail filtering, AV, URL filtering, and IM monitoring and blocking. User Behavior Audit and Management The Secoway elog system analyzes the bypass probe device on application-layer protocols such as FTP, Telnet, and HTTP. According to analysis results, the Secoway elog system monitors high-risk operations and alerts administrators to take immediate actions against suspicious behaviors. The Secoway elog system audits operations for the DB2, Oracle, Informix, Sybase, and SQL server databases to provide visibility into current database operations and ensure data security. Centralized Management Unified Log Management Platform The Secoway elog system logs the following devices: Huawei s security devices, routers, switches, and BRAS devices. Other vendors security and network devices. Hosts, databases, and Web servers. Standard syslog devices. The Secoway elog system collects, categorizes, and stores all logs in a reliable and large-capacity disk array. HUAWEI TECHNOLOGIES CO., LTD.

2 Intelligent Security User-centric Alarm Management The administrator can configure alarm policies if desired. The Secoway elog system automatically informs the administrator in different ways when an event matches alarm policies. The administrator can learn live alarm statistics on the entire network or a specific device to gain visibility into the network security posture. Flexible Network Deployment Its distributed architecture allows the Secoway elog system to smoothly upgraded from the centralized mode to the distributed mode without affecting the current network structure. High Security and Reliability The Secoway elog system has the following reliability features: Supports HTTPS access to ensure data security. Uses the buffer mechanism to avoid data loss in the case of network failures. Provides highly reliable storage and management of massive logs, covering log compression, log backup to tape drives, and quick disaster recovery. Application Scenarios Collecting Evidence NAT/PAT Tracing Enterprise, Hotel, Home, Public Place NAT Secoway elog Binary log Eudemon BRAS NE40/80 Gateway Due to limited IP, for most enterprises, the gateway is used to perform NAT or PAT. Security events often occur on the internal or external network through the gateway. Thus, evidence can be colleted by recording NAT or PAT information.

3 Behavior Control Virus intrusion and spreading External intrusion attacks Secoway elog log Eudemon Enterprise DB FTP, Telnet, and HTTP access FTP/TeInet Probe log IM software such as MSN, Yahoo File sharing such as the , FTP P2P software that are used to watch films or surfing online, play games, or visit entertainment sites The Eudemon logs the virus and attack events and attempts to visit prohibited Web sites or use prohibited applications such as P2P. The elog system can collect the loge, alert the administrators, and provide reports. The bypass probe device can analyze the mirrored traffic and log the operations made to databases, operating systems, or other resources through FTP, Telnet, and HTTP. The elog system collects the logs and can intuitively display the statistics. Global Log Management External network Secoway elog Iog Firewall and UTM Enterprise Lack of the unified log management center Little knowledge of attack defense status Difficulty in assessing the effects of security devices Web server OS Database Switch Router VPN BRAS IDS and IPS DPI Massive logs are not analyzed High-speed and massive flow logs cannot be managed Limited types of reports Through customization-based development, the logs of all devices, databases, servers, and hosts are analyzed and managed for data protection. Logs are audited based on the preset security policies and alarm policies. Law compliance requirements such as Ministry of Public Security Decree No. 82 and SOX are met.

4 Product Specifications Feature Function Description Log management Audit event management Log audit Behavior log analysis Firewall log analysis Firewall UTM analysis Log collection Log categorization and storage Log search Policy association Session association Regulatory compliance report Log search and analysis Log analysis Traffic report Log report IPS The Secoway elog system can collect logs in a complex network environment such as dual-system hot backup of the Eudemon firewalls. It collects the logs of various devices in syslog, SNMP trap, OPSEC, FTP/SFTP, WMI, and JDBC modes without using any agents. The Secoway elog system: Categorizes logs by content. Logs can also be divided into online logs, dump logs, and backup logs by storage time. Encrypts and performs integrity check on log files. The Secoway elog system: Provides device-specific search conditions and displays the results. Supports background search. Search conditions can be saved in a template for future use. Exports search results into.txt,.cvs, or.xls files to facilitate distribution and offline viewing. The Secoway elog system supports user-defined audit policies and alarm methods. The Secoway elog system associates user operations. Specifically, it associates the operations performed between the logins and logouts of a user as a session. The Secoway elog system provides diversified reports on user access, user logins and logouts, login failures, administrative operations, password change and expiration, audit policy change, and directory access. The Secoway elog system supports the ability to search for logs by protocol, time range, source IP address segment, destination IP address segment, user name, operation type, operation object, or keyword, and generates search reports. Firewall logs can be searched for by time range, log level, log type, or keyword. The Secoway elog system provides the refined search for various logs such as NAT logs. The Secoway elog system can generate reports on the following traffic: Live traffic Basic traffic Application-specific traffic Interface-specific traffic P2P traffic P2P CLASS traffic P2P user traffic rankings The Secoway elog system can generate the following log reports: Log trend Attack defense Packet filtering ACL triggering rule rankings Packet filtering protocol rankings Content filtering destination IP address rankings Content filtering source IP address rankings The Secoway elog system can generate the following IPS reports: Attack behavior rankings Attack event rankings Attack event trends and attack event rankings You can search for intrusion prevention details by device, time, alarm level, protocol, operation, source IP address, or keyword.

5 Feature Function Description SIG log analysis Alarm management System management Mail filtering IM monitoring AV URL filtering Real-time monitoring of resource usage SIG log analysis Alarm responding and monitoring Alarm search Alarm report Device management User right management Syslog System information monitoring The Secoway elog system can generate the following mail filtering reports: Rankings of source IP addresses that send most s quantity trends You can search for audit logs by device, time, filtering type, protocol, destination IP address, source IP address, or keyword. The Secoway elog system can generate reports and logs on the use of the IM software. The Secoway elog system can generate the following AV reports: Ranking of the most frequently detected viruses Ranking of the most infected file types Anti-virus breakdowns Reports showing users who have sent files infected with viruses Reports showing virus distribution periods The Secoway elog system can generate the following URL filtering reports: Rankings of the source IP addresses that send most Web site requests Rankings of the most frequently visited sites Rankings of the most frequently visited Web URLs Web visit quantity trends You can monitor the current CPU, memory, and disk space usage of the SIG back-end servers. You can view the logs of the SIG resource usage and the following reports on the SIG back-end server: CPU usage reports Memory usage reports Disk usage reports The Secoway elog system can alert administrators by , text message (a GSM modem is required), sound and light (an alarm box is required), sound (an audible box is required), or related programs. You can use the console to monitor current alarms by device, alarm level, or alarm type. You can search for alarms by device, time range, alarm level, alarm type, or keyword. The search results are available in.txt,.cvs, or.xls files. You can view the following alarm analysis reports: Alarm quantity trend analysis Device alarm quantity rankings The Secoway elog system manages up to 1000 devices and supports device import and export in batches. The Secoway elog system defines three roles, namely, administrator, operator, and auditor. The administrators can define operators and allocate them the rights of managing different devices. The Secoway elog system automatically records device failures and major status changes, so that the administrator can learn about the operating status of each device. The administrator can: View the license status. View current information on the key resources (CPU, memory, disk space, and current log amount). Monitor all user sessions and log users off.

6 Copyright Huawei Technologies Co., Ltd All rights reserved. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen , P.R. China Tel: Version No.: M C-1.0