| Network Security - The road ahead | | | | Outbound traffic reportsIntranet reportsInternet |
| IntroductionWhat is Network Security?"Network | | | | reportsTrend reports |
| Security" -Monitoring"Network Security" -Forensics | | | | |
| "Network Security" | | | | |
| -ComplianceHIPAASOXGLBAConclusion | | | | Reports to expect from compliance and internal |
| | | | monitoring: |
| | | | ( see compliance sub-heading for reports on |
| Introduction | | | | compliance) |
| Network Security is the next wave which is bound to | | | | User Audit reports (successfull/unsuccessful login |
| sweep the software | | | | attempts)Audit policy changes (ex: change in privileges |
| market. Increase in offshore projects and transfer of | | | | etc)Password changesAccount LockoutUser account |
| information | | | | changesIIS reportsDHCP reportsMSI reports( lists the |
| across the wire has added fuel to the burning urge to | | | | products installed/uninstalled)Group policy changesRPC |
| secure the | | | | reportsDNS reportsActive directory reports |
| network. As the famous adage goes, the most | | | | |
| safest computer is | | | | The gating factor for choosing a monitoring product is |
| one which has been unplugged from the | | | | to cross verify |
| network(making it almost | | | | whether the devices you have in your network are |
| useless). Network security | | | | supported by the |
| is becoming more of a necessity. Interestingly the type | | | | vendor you choose. There are quite a number of |
| of security | | | | products which |
| required across different enterprises depends on the | | | | address this market, you might want to search for |
| nature of its | | | | "firewall analyzer" |
| business. Offlate some laws & acts have been | | | | and "eventlog analyzer" in google. |
| defined to | | | | |
| identify security breaches, which is a very good move | | | | |
| to prevent | | | | "Network Security" -Compliance |
| fradulent use/access of information. There are two | | | | |
| types of softwares | | | | Most of the industries such as health care and |
| for Network security, one which prevents it and one | | | | financial |
| which does the | | | | institutions are mandated to be compliant with HIPAA |
| forensic analysis. The main focus of this article would | | | | and SOX acts. |
| be | | | | These acts enforce stringent rules in all aspects of |
| the forensics of network security. | | | | the enterprise |
| | | | including the physical access of information. (This |
| What is Network Security? | | | | section |
| network security: the | | | | concetrates on the software requirement of the acts) |
| protection of a computer network and its services | | | | There are quite a |
| from unauthorized | | | | number of agencies that offer the compliance as a |
| modification, destruction, or | | | | service for an |
| disclosure | | | | enterprise. But it all depends on whether you want to |
| | | | handle compliance |
| Network security is a self-contradicting philosophy | | | | yourself or employ a third party vendor to ensure |
| where you need to | | | | compliance to the |
| give absolute access and at the same time provide | | | | acts. |
| absolute security. | | | | HIPAA Compliance: |
| Any enterprise needs to secure itself from two | | | | HIPAA defines the Security Standards for monitoring |
| different access of | | | | and auditing system |
| information/transaction for that matter(ex:ftp,http etc.), | | | | activity. HIPAA regulations mandate analysis of all |
| internal | | | | logs, |
| access and external access. Securing the access of | | | | including OS |
| information or | | | | and application logs including both perimeter devices, |
| resources from the external world(WWW) is quite a | | | | such as IDSs, as |
| task to master, that | | | | well as insider activity. Here are some of the |
| is where the firewalls pitch in. The firewalls act as | | | | important reports that |
| gatekeepers who | | | | need to be in place: |
| seggregate the intrusive and non-intrusive requests | | | | User Logon report: HIPAA requirements (164.308 |
| and allow access. | | | | (a)(5) - |
| Configuring & maintaining a firewall is by itself a task | | | | log-in/log-out monitoring) clearly state that user |
| which | | | | accesses to the |
| needs experience and knowledge. There are no hard | | | | system be recorded and monitored for possible |
| and fast rules | | | | abuse. Remember, this |
| to instruct the firewalls, it depends on where the | | | | intent is not just to catch hackers but also to |
| firewall is | | | | document the accesses |
| installed and how the enterprise intends to provide | | | | to medical details by legitimate users. In most cases, |
| access to | | | | the very fact |
| information/resources. So, the effectivity of any | | | | that the access is recorded is deterrent enough for |
| firewall depends on | | | | malicious activity, |
| how well or how bad you configure it. Please be | | | | much like the presence of a surveillance camera in a |
| informed many firewalls | | | | parking lot.User Logoff report: HIPAA requirements |
| come with pre-configured rules, which intend to make | | | | clearly state that user |
| the job of | | | | accesses to the system be recorded and monitored |
| securing the information access from external | | | | for possible abuse. |
| sources. In short | | | | Remember, this intent is not just to catch hackers but |
| firewall gives you information about attacks | | | | also to document |
| happenning from the | | | | the accesses to medical details by legitimate users. In |
| external world. | | | | most cases, the |
| | | | very fact that the access is recorded is deterrent |
| The toughest job is to secure information from the | | | | enough for malicious |
| internal sources. | | | | activity, much like the presence of a surveillance |
| More than securing it, managers need to track the | | | | camera in a parking |
| information flow, to | | | | lot.Logon Failure report: The security logon feature |
| identify possible casuatives. The tracking of | | | | includes logging |
| information flow will | | | | all unsuccessful login attempts. The user name, date |
| come in handy in case of legal situations. Because | | | | and time are |
| what seemingly to be | | | | included in this report.Audit Logs access report: HIPAA |
| a sharing of information could be held against you in | | | | requirements (164.308 (a)(3) - |
| the court of | | | | review and audit access logs) calls for procedures to |
| law. To enforce this, acts such as HIPAA, GLBA, | | | | regularly review |
| SOX have been | | | | records of information system activity such as audit |
| putforth, to ensure that the scam(s) like that of | | | | logs.Security Log Archiving Utility:Periodically, the |
| "Enron" does | | | | system |
| not happen. In short the tracking of information and | | | | administrator will be able to back up encrypted copies |
| audit gives you | | | | of the log data |
| information abouot security breaches and possible | | | | and restart the logs. |
| internal attacks. | | | | |
| | | | |
| There are a variety of network security attacks/ | | | | SOX Compliance: |
| breaches: | | | | Sarbanes-Oxlet defines the collection,retention and |
| Denial of ServiceVirus attacksUnauthorized | | | | review of audit |
| AccessConfidentiality breachesDestruction of | | | | trail log data from all sources under section 404's IT |
| informationData manipulation | | | | process |
| | | | controls. These logs form the basis of the internal |
| | | | controls that |
| Interestingly , all these information are available across | | | | provide corporations with the assurance that financial |
| the | | | | and business |
| enterprise in the form of log files. But to read it | | | | information is factual and accurate. Here are some of |
| through | | | | the important |
| and making sense out of it, will take a life time. That is | | | | reports to look for: |
| where the | | | | User Logon report:SOX requirements (Sec 302 |
| "Network Security" monitoring also known as "Log | | | | (a)(4)(C) and (D) - |
| Monitoring" softwares | | | | log-in/log-out monitoring) clearly state that user |
| pitch in. They do a beautiful | | | | accesses to the |
| job of making sense out of the information spread | | | | system be recorded and monitored for possible |
| across various | | | | abuse. Remember, this |
| locations and offer the system administrators a holistic | | | | intent is not just to catch hackers but also to |
| view of what | | | | document the accesses |
| is happening in their network, in terms of Network | | | | to medical details by legitimate users. In most cases, |
| Security. In short they | | | | the very fact |
| collect,collate,analyze & produce reports which help | | | | that the access is recorded is deterrent enough for |
| the | | | | malicious activity, |
| system administrator to keep tabs on Network | | | | much like the presence of a surveillance camera in a |
| Security. | | | | parking lot.User Logoff report:SOX requirements (Sec |
| | | | 302 (a)(4)(C) and (D) |
| | | | clearly state that user accesses to the system be |
| "Network Security" -Monitoring | | | | recorded and |
| | | | monitored for possible abuse. Remember, this intent is |
| No matter how fine your defense systems are, you | | | | not just to |
| need to have someone | | | | catch hackers but also to document the accesses to |
| to make sense out of the huge amount of data | | | | medical details by |
| churned out of a edge | | | | legitimate users. In most cases, the very fact that the |
| device like firewall and the system logs. The typical | | | | access is |
| enterprise logs | | | | recorded is deterrent enough for malicious activity, |
| about 2-3GB/day depending upon the enterprise the | | | | much like the |
| size might vary. The | | | | presence of a surveillance camera in a parking |
| main goal of the forensic software is to mine through | | | | lot.Logon Failure reportThe security logon feature |
| the vast amount | | | | includes logging |
| of information and pull out events that need attention. | | | | all unsuccessful login attempts. The user name, date |
| The | | | | and time are |
| "Network security" softwares play a major role in | | | | included in this report.Audit Logs access report:SOX |
| identifying the | | | | requirements (Sec 302 (a)(4)(C) and |
| causatives and security breaches that are happenning | | | | (D) - review and audit access logs) calls for |
| in the | | | | procedures to regularly |
| enterprise. | | | | review records of information system activity such as |
| | | | audit logs.Security Log Archiving Utility:Periodically, the |
| Some of the major areas that needed to be | | | | system |
| addressed by any network | | | | administrator will be able to back up encrypted copies |
| security product is to provide a collective virus attacks | | | | of the log data |
| across | | | | and restart the logs.Track Account management |
| different edge devices in the network. What this | | | | changes:Significant changes in the |
| offers for an | | | | internal controls sec 302 (a)(6). Changes in the |
| enterprise is a holistic view, of the attacks happening | | | | security configuration |
| across the | | | | settings such as adding or removing a user account |
| enterprise. It offers a detailed overview of the | | | | to a admistrative |
| bandwidth | | | | group. These changes can be tracked by analyzing |
| usage, it should also provide user based access | | | | event logs.Track Audit policy changes:Internal controls |
| reports. The | | | | sec 302 (a)(5) by |
| product has to highlight sescurity breaches and | | | | tracking the event logs |
| misuse of internet | | | | for any changes in the security audit policy.Track |
| access, this will enable the administrator to take the | | | | individual user actions:Internal controls sec 302 (a)(5) by |
| necessary | | | | auditing user activity.Track application access:Internal |
| steps. The edge devices monitoring product has to | | | | controls sec 302 (a)(5) by |
| provide other | | | | tracking application |
| stuffs like Traffic trends,insight into capacity planning | | | | process.Track directory / file access:Internal controls |
| and Live | | | | sec 302 (a)(5) |
| traffic monitoring, which will help the administrator to | | | | for any access violation. |
| find causes | | | | |
| for network congestion. | | | | GLBA Compliance: |
| | | | The Financial Services Modernization Act (FMA99) |
| The internal monitoring product has to offer the audit | | | | was signed into law in |
| information of | | | | January 1999 (PL 106-102). Commonly referred to as |
| users, system security breaches and activity audit | | | | the |
| trails (ex: remote | | | | Gramm-Leach-Bliley Act or GLBA, Title V of the Act |
| access) As most of the administrators are ignorant of | | | | governs the steps |
| the requirements | | | | that financial institutions and financial service |
| for the | | | | companies must |
| compliance acts, it is better to cross reference which | | | | undertake to ensure the security and confidentiality of |
| acts apply to | | | | customer |
| their enterprise and ensure that the product supports | | | | information. The Act asserts that financial services |
| reporting for the | | | | companies |
| compliance acts(please refer here | | | | routinely collect Non-Public Personal Information (NPI) |
| for details on compliance) | | | | from |
| | | | individuals, and must notify those individuals when |
| In altoghether they will have to support archiving, | | | | sharing information |
| scheduling of | | | | outside of the company (or affiliate structure) and, in |
| reports and a comprehensive list of reports. please | | | | some cases, |
| follow the next | | | | when using such information in situations not related to |
| section for more details. | | | | the |
| | | | furtherance of a specific financial transaction. |
| | | | User Logon report:GLBA Compliance requirements |
| "Network Security" -Forensics | | | | clearly state that |
| | | | user accesses to the system be recorded and |
| The most important features you need to | | | | monitored for possible |
| lookout,when you short list a network security forensic | | | | abuse. Remember, this intent is not just to catch |
| product is the | | | | hackers but also to |
| ability | | | | document the accesses to medical details by |
| to archive the raw records. This is a major factor | | | | legitimate users. In most |
| when it comes to | | | | cases, the very fact that the access is recorded is |
| acts and laws. So in the court of law, the original | | | | deterrent enough |
| record has to be | | | | for malicious activity, much like the presence of a |
| produced as proof and not the custom format of the | | | | surveillance camera |
| vendor. The | | | | in a parking lot.User Logoff report:GLBA requirements |
| next one to lookout for is the ability to create alerts, i.e | | | | clearly state that user |
| the | | | | accesses to the system be recorded and monitored |
| ability to notify whenever some criteria happens ex: | | | | for possible abuse. |
| when 3 | | | | Remember, this intent is not just to catch hackers but |
| unsuccessfull login attempts mail me kind of stuff, or | | | | also to document |
| better still if | | | | the accesses to medical details by legitimate users. In |
| there is a virus attack for from the same host more | | | | most cases, the |
| than once, notify | | | | very fact that the access is recorded is deterrent |
| me etc. This will reduce the lot of manual intervention | | | | enough for malicious |
| needed in | | | | activity, much like the presence of a surveillance |
| keeping the network secure. Moreover the ability to | | | | camera in a parking |
| schedule | | | | lot.Logon Failure report:The security logon feature |
| reports is a big plus. You don't have to check the | | | | includes logging |
| reports daily. Once | | | | all unsuccessful login attempts. The user name, date |
| you have done your ground work as to configure | | | | and time are |
| some basic alerts and | | | | included in this report.Audit Logs access report:GLAB |
| some scheduled reports. It should be a cakewalk | | | | requirements (review and audit |
| from then on. All | | | | access logs) calls for procedures to regularly review |
| you need to do is check out the information(alerts | | | | records of |
| reports) you get in | | | | information system activity such as audit logs.Security |
| your inbox. It is recommended that you configure | | | | Log Archiving Utility:Periodically, the system |
| reports on a weekly | | | | administrator will be able to back up encrypted copies |
| basis. So that it is never too late to react to a | | | | of the log data |
| potential threat. | | | | and restart the logs. |
| And finally a comprehensive list of reports is a vital | | | | |
| feature to | | | | |
| lookout for. Here is a list of reports that might come in | | | | Conclusion |
| handy | | | | "Network Security" has to be done both internally as |
| for any enterprise: | | | | well as |
| | | | externally, the job of nailing the problem is a huge task |
| Reports to expect from edge devices such as a | | | | which needs expertise and mostly help from |
| firewall: | | | | softwares such as EventLog Analyzers(compliance |
| Live monitoring Security reportsVirus reportsAttack | | | | and internal monitoring of internal machines) and |
| reportsTraffic reportsProtocol usage reportsWeb | | | | Firewall Analyzer(virus,attacks |
| usage reportsMail usage reportsFTP usage | | | | and traffic monitoring of edge devices). |
| reportsTelnet usage reportsVPN reportsInbound | | | | |