eIQ networks, Inc.
31 Nagog Park, 3rd Floor
Acton , MA 01720
Web site: http:// www.eIQnetworks.com
We spend a great deal of money securing our network perimeters, on our firewalls, on IPS/IDS systems and on other appliances to lock our network doors. These devices and systems churn out large amounts of data i.e. Event logs, security events produced in real time and they are produced once, if not captured are lost forever. You have to capture them, you have to manage them otherwise you lose your ability to access them historically, do a real-time threat correlation as well as analysis, report incidents to your management etc. All of these have propelled log retention and analysis into the limelight. Log analysis, reporting and monitoring is an inherent part of today’s multi-layered I.T network security landscape and its importance cannot be emphasized enough. Logging essentially creates a record of actions and events that take place on our network residents like application servers, routers, network switches, firewalls, anti-virus, intrusion detection, intrusion prevention appliances etc.
Usefulness of these I.T network security logs can be best appreciated by considering the analogy of road traffic logs of highways for example the Trans Canada Highway. The Trans Canada Highway road traffic logs which contain traffic, environmental, control conditions etc helps avoid potentially disastrous situations and helps plan capacity planning. Similarly network security logs can help immensely i.e. Event log data from security and network devices give complete insight into network usage; helps verify security policy compliance, generate alerts for possible security breaches, analyze and report on network performance. In effect network security is an exploratory process with clearly defined security policies. It should be accompanied by regular and continuous ongoing analysis of device activity, real-time alerts and notifications of threats to the network and hosts.
Laws, regulations and compliance requirements around network security mandate log retention and analysis but admittedly these activities to say the least can become a tedious and cumbersome chore. For every resident on the network will have a story to tell, every appliance on the network switches, routers and servers are constantly writing to their logs noteworthy events! This means we have umpteen numbers of log files and logged data, just like pieces of a puzzle that have to be put together so that a definite and clear pattern emerges.
But there is more to it than just compliance, events occurring on the network have to be analyzed and based on that internal and external threats have to identified and prevented before our networks falls apart.
Seeing an I.T security officer at work reminds us of the local circus juggler. Managing today’s networks means that he has to juggle many balls i.e. various tasks such as keeping a constant eye on security threats, avoid network abuses, prevent electronic break-ins, manage network requirements, avoid network bandwidth bottle necks, regularly monitor Web traffic, ensure appropriate employee usage of network resources , comply with federally mandated privacy requirements etc. That calls for a tool, a solution that can help him mine; help him distil relevant and useful information from reams of log files and information presented to him by various network residents. This pertinent network security information can be used to act swiftly and decisively. eIQNetwork’s Network Security Analyzer [NSA] is one such tool in the market that can help us make sense of the reams of network log data.
NSA can help the I.T security officer with security event management across his network as it supports a *large number of appliances and devices like routers, switches, firewalls, proxy etc.
From a security management standpoint NSA can help us collect, aggregate, correlate event data from a number of residents across the network and armed with that information we can identify anomalous network activity, security breaches, carry out a post network attack investigation, network security forensic analysis, trace virus activity all before the network infrastructure crumbles.
NSA is a tool that possesses many features in a nutshell it helps identify attack type, source, destination, port, protocol, severity etc. We can obtain details on virus activity such as virus source, virus type, virus details; etc.It can help us as we move towards meeting regulatory compliance such as HIPAA, GLBA, and Sarbanes-Oxley. If you need to understand protocol usage by device or user or department, analyze incoming & outgoing traffic/bandwidth patterns; if you want to get to grips with the bandwidth utilization by department, client and protocol, analyze and identify web usage by department, individual employees or even inappropriate Internet usage by employees. For all that and more eIQnetwork’s NSA can aid you.
eIQnetwork’s NSA provides automated log archiving which helps in investigative analysis and regulatory compliance while saving disk space [log files are compressed and archived]. We found NSA’s browser-based access feature very handy as it allows report generation from any computer on the local network or remotely.
NSA helps with Content Categorization Analysis i.e. it generates content categorization related reports to help understand employee web usage patterns. Further aid you in obtaining information such as category of sites employees are visiting, frequency, who is visiting prohibited sites, etc.
Under Instant Reports it provides an Executive dash board i.e. a bird’s eye view of the activity across your entire network, with the ability to investigate any unusual activity or specific security related activity of a network resident.Ref.Fig.1 -Sample Network Security Analyzer-Instant Report-screen.
With NSA‘s anti-Virus analysis & reporting no more finger pointing and blame games as it will help you identify infected files, network infestation, provide details on virus activity levels and generate anti-virus activity related reports that identify presence of viruses across your entire network landscape.
NSA’s real-time monitoring feature allows you to analyze essential system events and monitor your devices. Here too you can select either view all or you could select the Dash board view Ref.Fig.2 - Sample Network Security Analyzer-monitoring-screen
You can generate a plethora of reports and further these reports can be mailed out in various formats namely HTML, PDF Word, and Excel etc formats.
NSA addresses many areas of the network including spam analysis where you can generate activity reports around it such as spam- source, email address, destination, frequency etc.
For real-time correlated alerting you have a template driven alert manager that will allow creation, definition of a number of alerts, reduce false positives, identify blended attacks and/or viruses by correlating alerts spanning multiple devices, sources, destinations, ports, etc. What is more beneficial is the ability of NAI to deliver alerts on the screen, via email or SNMP.
Correlation analysis is a very important feature of network security analysis. A knitted network activity view of every network resident as against looking at devices individually will let organisations see hacker, network break-in patterns, virus activity etc. network wide. It will reduce incident response time, help provide just in time problem resolutions and fixes and ultimately I.T resources will be spent more wisely.
NSA’s real-time Event Manager readily displays all requests that result in an emergency, the requests that triggered it, where it came from, what device was attacked and the port of attack. Armed with this vital information you can bolster your perimeter network security as well as take remedial actions. Click on the Event Manager tab and it shows us the list of event severity descriptions pertaining to our devices, displays the list of the most recent events for each host and it is color coded so that it does not escape our attention. Ref.Fig.3 - Sample Network Security Analyzer-Event Manager-screen
We put eIQnetwork’s Network Security Analyzer [NSA] v4.0.22 through it paces and for our testing we used Cisco’s PIX firewall.eIQ’s NSA garnered full 5 points for installation, it was as easy as saying 123, within minutes we were up and running.
You can install NSA as either a Web site or a virtual directory on IIS, or on NSA Enterprise Apache server. eIQ’s NSA also installs its own Syslog server. For the Syslog server on the TCP Ports Screen/ UDP Ports Screen you can define the standard TCP ports/ UDP ports that the Syslog server will be listening on for device data. We will go straight to the Device Manager screen that allows us to configure our device i.e. Cisco PIX and the Syslog server. Now NSA accesses device logs using NSA’s Syslog Server. Let us move on to the License Manager screen where we will add the Cisco PIX and then onwards to the profile manager screen to create a new profile called firewall_test_log. The profile essentially is a group of settings like log file to analyze, DNS lookup settings, filter templates etc. so that we could analyze our PIX logs.
For the created profile we can select between reporting on devices from NSA’s database or optionally migrate log data to NSA database for report generation- this paradigm we believe is a good way to manage and track network activity. We generated an individual report for Cisco PIX although NSA facilitates and allows you to generate a single combined report for all devices selected in the profile. As we finished our tests we were impressed with NSA’s depth and broad coverage on analysis and reporting. Its user and administrative interfaces are well laid out and can be used very easily even by the uninitiated. With the NSA your I.T security officer can enjoy his coffee break without poring over long and boring log files from various appliances. He will also be able to receive and interpret clear alerts from security appliances and act upon them. It is highly recommended that potential users test eIQnetwork’s NSA on their networks as “seeing is indeed believing”.
Room for Improvement
Although Network Security Analyzer talks to multiple vendors and multiple devices we would like to see more appliances and devices covered over time. As for documentation it would help if the user guide provides in depth information on Log analysis and correlation.
Multi-layered heterogeneous network security strategies have become the norm. In such an environment security event management and diagnosis is essential for minimizing network outages so that company bottom line is not affected. For that eIQ’s Network Security Analyzer is the right step in that direction.
* check out the device compatibility list to ensure your firewall, proxy, router or switch is there.
Biju Oommen is a Telecommunications & Networking Solutions Consultant with a special focus on enterprise products and solutions.