NetDetector. IBM/Tivoli Risk Manager Integration. Product Overview. w w w. n i k s u n. c o m

Transcription

1 NetDetector TM IBM/Tivoli Risk Manager Integration Product Overview w w w. n i k s u n. c o m

2 Copyrights and Trademarks NIKSUN, NetVCR, NetDetector, NetX, NetVCR Xperts, NetReporter, and NSS are either registered trademarks or trademarks of NIKSUN, Inc. in the United States and/or other countries. Tivoli, Tivoli Enterprise, Tivoli Enterprise Console, and TME are trademarks or registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. Ethernet is a trademark of Xerox Corp. Netscape Communicator is a trademark of Netscape Communications Corporation. Internet Explorer is a trademark of Microsoft Corporation. Other product and company names mentioned herein may be the trademarks of their respective owners. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, The Regents of the University of California. All rights reserved. This product includes libpcap and tcpdump software that is copyrighted by the Regents of the University of California. Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this software display the following acknowledgement: ``This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors.'' Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Copyright 2003 NIKSUN, Inc. This publication is protected by International Copyright Law. No part of this publication may be reproduced, stored in a retrieval system, translated, transcribed, or transmitted in any form, or by any means manual, electric, electronic, electromagnetic, mechanical, chemical, optical, or otherwise, without prior written permission from NIKSUN, Inc. NIKSUN makes no warranty of any kind with respect to this material and disclaims any implied warranty of merchantability or fitness for a particular purpose. NIKSUN, Inc Cornwall Road Monmouth Junction, NJ USA Telephone: (732) Fax: (732) Customer Support: (888) info@NIKSUN.com NIKSUN, Inc., 1100 Cornwall Road, Monmouth Junction, NJ 08852, USA ii

3 NetDetector 2.0 and IBM/Tivoli Risk Manager Integration Overview NetDetector 2.0 is certified Tivoli Ready for IBM/Tivoli Risk Manager. This certification assures quality level of integration has been achieved that is of mutual benefit and added value for users of both products. This document provides an overview of the products and the integration, as well as the business value it provides. NetDetector Overview NetDetector is an advanced network intrusion forensics monitor for IP networks. It continuously and non-intrusively records network traffic on LAN or WAN interfaces, analyzes packets and flows to detect certain network anomalies in near real-time, and collects information to enable a complete post-event analysis. The analysis features include comprehensive easy-to-use web-based Traffic Analysis screens, which allow users to visualize and easily drill down into specific time intervals, IP addresses, and applications. NetDetector also offers powerful TCP Analysis and Reconstruction screens, enabling administrators to search and recreate http, , ftp, telnet, and other TCP-based applications. A host of reporting and data manipulation options are also available, in addition to integrated signature detection provided by Snort, to round out the complete solution. IBM/Tivoli Risk Manager Overview IBM/Tivoli Risk Manager is a real-time security management system for the aggregation and correlation of security events from heterogeneous devices (e.g., firewalls, intrusion detection systems, and anti-virus applications) distributed throughout a network. It is built upon the platform provided by the Tivoli Management Framework (TMF) and utilizes the Tivoli Enterprise Console (TEC) as a centralized security console. The TMF communications framework allows Risk Manager to provide functions that receive alerts from a variety of included and third-party sensor applications. Received alerts are then displayed on the TEC console, and can be automatically processed through aggregation and correlation algorithms. Integration Overview The anomaly detection capabilities of NetDetector, which serve as the launch-point of the integration, comprise 6 basic types: Utilization anomalies, Port scans, Host scans, Host floods, excessive Host Pair Bytes, and Invalid Addresses. For each of these types, the user defines the notion of "anomaly" by specifying thresholds, time intervals, and traffic filters. One or more NIKSUN, Inc., 1100 Cornwall Road, Monmouth Junction, NJ 08852, USA 1

4 NetDetector 2.0 and IBM/Tivoli Risk Manager Integration alerting options can also be selected, including on-screen pop-ups, , and SNMP traps. The Risk Manager integration effectively provides an additional alerting option. To implement the integration, a new sensor type for NetDetector was created and the 6 classes of NetDetector anomalies were mapped into the Risk Manager event class hierarchy. Furthermore, NetDetector s alerting mechanism was augmented to forward alerts to a TEC server. NetDetector units that are loaded with the Risk Manager Integration package can forward events to a TEC/RM server where the defined classes have been imported into the rule base. The NetDetector events will then appear on the TEC console with alerts from other endpoint devices that send event data to the TEC/RM server. Figure 1 shows a sample screen shot of a TEC console showing NetDetector events. Figure 1: TEC Console showing NetDetector events. Benefit and Value Both NetDetector and Risk Manager benefit from the integrated solution, and this ultimately translates into added value for the user. NetDetector benefits from the aggregation and correlation features of Tivoli Risk Manager. Anomaly detection is recognized as a necessary complement to signature detection, and it has the advantage of being able to detect new attacks and being less prone to evasion. However, anomaly detection is also more susceptible to false positives. The aggregation and correlation provided by Risk Manager can be beneficial for identifying and mitigating any false positives that arise from the anomaly detection in NetDetector. IBM Tivoli Risk Manager benefits from the detailed forensics enabled by NetDetector. The centralized management of security events from throughout the network is essential to providing an enterprise-wide, 10,000 foot view of the security state. However, when it comes time to do a NIKSUN, Inc., 1100 Cornwall Road, Monmouth Junction, NJ 08852, USA 2

5 NetDetector 2.0 and IBM/Tivoli Risk Manager Integration detailed analysis of specific events, the native abilities of the centralized manager and third party products is limited. NetDetector provides web-enabled, URL-addressable detailed analysis for its own events, and filtering capabilities for analyzing events from other 3 rd party sensors. The event data that is forwarded from NetDetector to Risk Manager includes a URL for logging back into the NetDetector unit for further analysis (see Figure 2). Also, key attributes such as source and destination IP addresses can be copied from 3 rd party alerts and used to drill down into NetDetector for further analysis. Figure 2: The event attribute details for a NetDetector alert, highlighting the URL. Clearly, the integrated solution provides the end-user with value-added insight into all levels of security event data, from the top enterprise-wide view down to the bottom packet level view. Conclusion Defense-in-depth network security demands the deployment of multiple layers of security devices throughout the enterprise. Managing the event data from such disparate sources is no easy task. The IBM Tivoli Risk Manager is a robust solution that provides an enterprise-wide view of the security infrastructure, with aggregation and correlation functions for the effective management of event data. NetDetector, in addition to being yet another source of event data, provides detailed network forensic data for analyzing its own or 3 rd party events that appear at the TEC console. The integration of NetDetector and IBM Tivoli Risk Manager in effect gives administrators a view of the forest and the trees by providing a mutually beneficial solution point that is well positioned to become an essential tool in the total management of security events. NIKSUN, Inc., 1100 Cornwall Road, Monmouth Junction, NJ 08852, USA 3

6 About NIKSUN NIKSUN is a recognized worldwide leader in developing and deploying a complete range of network performance monitoring, security surveillance and forensic analysis tools serving a wide range of protocols and interfaces, ranging from Ethernet and Gigabit Ethernet to OC-12. Our products are the only network appliances that continuously capture and analyze LAN, MAN and WAN traffic at Gigabit rates in a single platform. NIKSUN's product line delivers unprecedented flexibility, scalability and real-time response. The company's patent-pending real-time data analysis and recording technology enables Enterprises, Governments, ASPs, ISPs and Carriers to provide secure and reliable network infrastructures and services. NIKSUN is headquartered in New Jersey, USA and has sales offices in major cities throughout the U.S., Europe and Asia Pacific. In addition, NIKSUN has developed partnerships with industry leading network solution providers worldwide. NIKSUN is headquartered in New Jersey USA NIKSUN, Inc Cornwall Road Monmouth Junction NJ Phone: Fax: info@niksun.com w w w. n i k s u n. c o m