Reporting and Incident Management for Firewalls



Similar documents
Using NetIQ Security and Administration Products to Ensure HIPAA Compliance March 25, Contents

The Network or The Server? How to find out fast!

Real-Time Security for Active Directory

Security and HIPAA Compliance

Monitoring Change in Active Directory White Paper October 2005

NetIQ and LECCOTECH: Integrated Solutions for Optimal SQL Server Performance October 2003

NetIQ Aegis Adapter for Databases

NetIQ AppManager for NetBackup UNIX

Using the Message Releasing Features of MailMarshal SMTP Technical White Paper October 15, 2003

Upgrading to MailMarshal Version 6.0 SMTP Technical Reference

How To Protect From The Internet With Mailmarshal Smt And Mailmper For Exchange

NetIQ Free/Busy Consolidator

Virtualization Management Survey Analysis White Paper August 2008

Integration With Third Party SIEM Solutions

Addressing the Risks of Outsourcing

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

User Guide. NetIQ Change Guardian for Group Policy. March 2010

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

MailMarshal SMTP 2006 Anti-Spam Technology

NetIQ AppManager for Cisco Interactive Voice Response. Management Guide

MailMarshal 6.0 SMTP Sizing Guide White Paper June 2004

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

Global Partner Management Notice

NextiraOne, LLC d/b/a Black Box Network Services

DDoS Protection on the Security Gateway

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

1776 Yorktown, 7th Floor, Houston, TX (toll free) (main) (fax)

SonicWALL Global Management System ViewPoint Guide. Version 2.1

74% 96 Action Items. Compliance

NetIQ AppManager for Self Monitoring UNIX and Linux Servers (AMHealthUNIX) Management Guide

Best Practices: NetIQ Analysis Center for VoIP

NetIQ Aegis Adapter for VMware vcenter Server

Securing Endpoints without a Security Expert

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

Tk20 Network Infrastructure

GoToMyPC Corporate Advanced Firewall Support Features

Breach Found. Did It Hurt?

Powerful, customizable protection for web applications and websites running ModSecurity on Apache/Linux based web-servers

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

The Challenges of Administering Active Directory

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

5 Steps to Avoid Network Alert Overload

Edge-based Virus Scanning

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

IBM QRadar Security Intelligence April 2013

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Intro to Firewalls. Summary

Linux MPS Firewall Supplement

NetIQ SecureLogin includes new features, improves usability, and resolves several previous issues.

NetIQ Privileged User Manager

Using NetIQ's Implementation of NetFlow to Solve Customer's Problems Lecture Manual

Introducing IBM s Advanced Threat Protection Platform

Streamlining Web and Security

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security

Firewalls & Intrusion Detection

IBM Security QRadar Risk Manager

Log Management Best Practices: The Benefits of Automated Log Management

LogRhythm and PCI Compliance

CMPT 471 Networking II

V1.4. Spambrella Continuity SaaS. August 2

March

Guideline on Auditing and Log Management

Achieving ROI From Your PCI Investment White Paper November 2007

Maruleng Local Municipality

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Contents Firewall Monitor Overview Getting Started Setting Up Firewall Monitor Attack Alerts Viewing Firewall Monitor Attack Alerts

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic

Implementing Secure Converged Wide Area Networks (ISCW)

Protecting the Infrastructure: Symantec Web Gateway

The Challenges of Administering Active Directory

Quest InTrust for Active Directory. Product Overview Version 2.5

PCI Security Scan Procedures. Version 1.0 December 2004

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

IBM Security QRadar Risk Manager

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

DeltaV System Health Monitoring Networking and Security

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

MailMarshal 6.0 SMTP Performance Benchmarking White Paper June 2004

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Cisco Advanced Services for Network Security

SonicWALL Global Management System Reporting Guide Standard Edition

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

The Advantages of a Firewall Over an Interafer

Application Firewall Overview. Published: February 2007 For the latest information, please see

Firewall and UTM Solutions Guide

Application Note: GateManager Internet requirement and port settings

Transcription:

Reporting and Incident Management for Firewalls The keys to unlocking your firewall s secrets Contents White Paper November 8, 2001 The Role Of The Firewall In Network Security... 2 Firewall Activity Reporting and Analysis... 3 Real Time Monitoring and Automated Event Response for Enterprise Firewalls... 3 Making the Most of Your Firewall Investment... 5 This paper will provide an understanding of how to maximize the effectiveness of enterprise firewalls. The paper begins with a discussion of what a firewall is and its role in securing e- commerce infrastructures. We then review the capabilities commonly found within most software firewalls. Critical functionality is then explored in terms of its value and benefits. Specifically, the practical use of firewall reporting is detailed along with the importance of real-time monitoring, event notification and automated response to close the loop on suspicious firewall activity. The combination of these technologies ensures comprehensive firewall effectiveness.

Legal Notice NetIQ Corporation provides this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document are furnished under a license agreement or a non-disclosure agreement and may be used only in accordance with the terms of the agreement. This document may not be lent, sold, or given away without the written permission of NetIQ Corporation. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Companies, names, and data used in this document are fictitious unless otherwise noted. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of the document. NetIQ Corporation may make improvements in and/or changes to the products described in this document at any time. 1995-2001 NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: Use, duplication, or disclosure by the Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of the DFARs 252.227-7013 and FAR 52.227-29(c) and any successor rules or regulations. AppManager, the AppManager logo, Knowledge Scripts, Work Smarter, NetIQ Partner Network, the NetIQ Partner Network logo, Chariot, Pegasus, Qcheck, ADcheck, NetIQ Security Manager, NetIQ File and Storage Administrator, OnePoint, the OnePoint logo, OnePoint Directory Administrator, OnePoint Resource Administrator, OnePoint Exchange Administrator, OnePoint Domain Migration Administrator, OnePoint Operations Manager, OnePoint File Administrator, OnePoint Event Manager, Enterprise Administrator, Knowledge Pack, ActiveKnowledge, ActiveAgent, ActiveEngine, Mission Critical Software, the Mission Critical Software logo, Ganymede, Ganymede Software, the Ganymede logo, NetIQ, and the NetIQ logo are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. Firewall Reporting and Incident Management 1

The Role Of The Firewall In Network Security Put simply, the firewall is a gateway between two networks. Typically, this gateway is implemented between a trusted network (your own corporate network) and the Internet. The firewall s job is to ensure that all traffic moving from one network to the other conforms to your organization s security policies. In other words, the firewall inspects all incoming and outgoing communications and decides whether to allow the data to pass through, or whether to reject or log the information. The existence of VPN technology enhances this decision to include a decision to encrypt the communication. For the purposes of this paper we will focus on the firewall and firewall management technologies. Virtual Private Networking (VPN) and VPN management is primarily an extension of firewall technology to include the encryption/decryption of particular traffic at the firewall. Common functionality found in Firewall products The firewall itself comes with capabilities for building the rules of allowable communications between networks. Basic functionality includes: Policy or configuration editors - Building and enforcing policies regarding the communication types, destinations and sources. For example, a firewall can be configured to prevent traffic from a specific source. Packet Filtering - IP packet filters are static, and communication through a specific port is always either allowed or blocked. Allow filters allow all traffic through at the specified port. Block filters always prevent the packets from passing through Out of the box support for common protocols such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Internet Relay Chat (IRC), H.323, and Transparent HTTP. The firewall can also be configured to support additional protocols by designating the protocol type and port to be used. Application layer filters analyze data streams for or from a specific application. This mechanism is used to protect against known exploits such as unsafe SMTP commands or attacks against internal Domain Naming System (DNS) servers Logging events to a designated log file. Advanced firewalls can log events to a remote location providing some level of consolidation of firewall events. Log file viewer is a simple application for viewing events in the log file. The more advanced log viewers are color coded to designate severity. In summary, the point of this functionality is to allow the user to define the rules of engagement between their network and the outside world. The firewall is the omnipotent Internet gatekeeper for your organization. It knows all and could control all, (at least as far as Internet traffic is concerned). However, IT organizations rarely extract the true value of their firewalls. For a variety of reasons the potential for enhancing the security of the enterprise goes unrealized. The truth is that most firewalls are actually misconfigured. "According to ICSA, 70% of sites with certified commercial firewalls are still vulnerable to attacks due to misconfiguration or improper deployment." January 1999 Good firewall administrators know that their firewall is keeping valuable secrets. More importantly, they know how to discover those secrets and use that information to better protect their enterprise. The following paragraphs will detail two complementary technologies that help these administrators maximize the organization s return on its firewall investment. 2 White Paper

Firewall Activity Reporting and Analysis Firewall log files represent a rarely-mined IT gem. These logs contain information on how effectively the firewall is performing, as well as a record of all incoming and outgoing activity that occurs. This valuable information can help companies optimize their networks, prevent security breaches, and manage employee Internet usage policies. More specifically, Firewall Reporting products from NetIQ add value to your firewall by allowing administrators to mine critically important security data on a daily basis. The reports generated by the products help IT groups: Take control of bandwidth usage by analyzing and reporting on user and department consumption Track and automatically categorize inappropriate Internet usage to address potential legal exposure Identify timing of bandwidth spikes in order to understand peak traffic loads and possible bandwidth drivers Identify bandwidth hogs which users or applications are taking up bandwidth Summarize, organize and analyze firewall errors Breakdown protocol usage Effectively manage limited budget dollars Accurately predict and justify bandwidth needs through trend analysis Real Time Monitoring and Automated Event Response for Enterprise Firewalls While its important to be able to analyze historical firewall activity, reporting alone cannot help you stop a security breach in progress. However, real time detection of suspicious activity along with automated response actions, such as that provided in Security Manager, can stop a hacker in his tracks. After extensive research and customer driven development, NetIQ has released its first integration module for Firewall Incident Management. This first module for CheckPoint FireWall-1 represents a significant step in ensuring 360 -effective perimeter security. Security Manager for CheckPoint FireWall-1 helps firewall administrators get above the noise created by thousands of firewall events to pinpoint and alert on selected or noteworthy events and activity. The following list details the most important benefits of Security Manager for CheckPoint Firewall-1. Consolidates Firewall-1 log file information CheckPoint Firewall-1 management servers maintain log files for a suggested 20 50 enforcement points. In large organizations, there is a need to consolidate and protect all log information through a single data store to meet company and industry mandated audit requirements. Detects Misconfigurations Misconfiguration of your firewall can result in your network being vulnerable to attack. With the vast number of configuration settings errors can easily creep into your system. Configuration errors can become even more prevalent when multiple administrators make changes to the firewall settings. The Security Manager for Check Point FireWall-1 module compares the firewall configuration file with identified security policies. This helps to ensure that the firewall Firewall Reporting and Incident Management 3

configuration policy is maintained. If the firewall is out of compliance, you receive an alert so that you can fix the problem. Backs Up Configuration Settings If your management server and firewall computers ever go down, it is important to be able to restore them as quickly as possible. Having a routine backup process ensures that you always have an up-to-date backup available to restore your system to its original state. The Security Manager for Check Point FireWall-1 module allows you to automate the backup process. After you specify the backup schedule and content, as well as the location of the backup file, this Integration module automatically performs the scheduled backups. Identifies External Attacks One way to protect your network from external attacks is to watch for malformed packets or unusual port scanning activity. If you receive a large number of port scans from the same host, it is likely that a malicious user is targeting your network. In response to such events, the Security Manager for Check Point FireWall-1 module can alert you to the suspicious activity. You can configure an automated notification to be sent to the members of a specific notification group to respond to the attack. Provides Single Point of Monitoring In today's large network environments, using multiple applications to monitor network activity can slow down the IT team and prolong problem resolution. Speedy identification of firewall issues can ensure that perimeter security is maintained. The Security Manager for Check Point FireWall-1 module gathers all firewall-related events, alerts, and other activities into one central location. This allows you to avoid sifting through numerous event logs to identify when attacks are underway, or when configurations are out of date. Additionally, to help maintain the integrity of this information it is stored in a secure central repository. Provides Automated Responses The Security Manager for Check Point FireWall-1 module can provide automated responses to detected threats. For example, some rules contain automated scripts to run in response to identified external attacks. For example, if the firewall cannot start up properly due to network problems, an email notification can be sent or an administrator can be paged to take care of the problem. 4 White Paper

Making the Most of Your Firewall Investment The table below summarizes the critical functions necessary to make the most of your firewall investment. Capability Policy Editor (P.E.) - Packet filtering P.E. - Application filtering P.E. - Protocol Support Firewall (base Product) Firewall Reporting Products Security Manager for Check Point FW-1 P.E. - Firewall event logging Log file viewer Reporting on bandwidth usage Reporting on categorized employee Internet usage Reporting on protocol usage Identify bandwidth hogs Identify timing of bandwidth spikes Reporting on firewall errors Consolidate firewall logs Detect firewall misconfigurations Backup firewall configuration stds. Real-time attack identification Automated policy based response actions Firewall Reporting and Incident Management 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information