| Network Security - The road ahead | | | | reportsFTP usage reportsTelnet usage |
| | | | reportsVPN reportsInbound/Outbound traffic |
| IntroductionWhat is Network | | | | reportsIntranet reportsInternet reportsTrend |
| Security?"Network | | | | reports |
| | | | |
| Security" -Monitoring"Network Security" | | | | |
| -Forensics "Network Security" | | | | |
| -ComplianceHIPAASOXGLBAConclusion | | | | |
| | | | |
| | | | Reports to expect from compliance and |
| | | | internal monitoring: |
| | | | |
| | | | ( see compliance sub-heading for reports on |
| Introduction | | | | compliance) |
| | | | |
| Network Security is the next wave which is | | | | User Audit reports (successfull/unsuccessful |
| bound to sweep the software | | | | login attempts)Audit policy changes (ex: |
| | | | change in privileges etc)Password |
| market. Increase in offshore projects and | | | | changesAccount LockoutUser account changesIIS |
| transfer of information | | | | reportsDHCP reportsMSI reports( lists the |
| | | | products installed/uninstalled)Group policy |
| across the wire has added fuel to the | | | | changesRPC reportsDNS reportsActive directory |
| burning urge to secure the | | | | reports |
| | | | |
| network. As the famous adage goes, the most | | | | |
| safest computer is | | | | |
| | | | The gating factor for choosing a monitoring |
| one which has been unplugged from the | | | | product is to cross verify |
| network(making it almost | | | | |
| | | | whether the devices you have in your network |
| useless). Network security | | | | are supported by the |
| | | | |
| is becoming more of a necessity. | | | | vendor you choose. There are quite a number |
| Interestingly the type of security | | | | of products which |
| | | | |
| required across different enterprises | | | | address this market, you might want to |
| depends on the nature of its | | | | search for "firewall analyzer" |
| | | | |
| business. Offlate some laws & acts have | | | | and "eventlog analyzer" in google. |
| been defined to | | | | |
| | | | |
| identify security breaches, which is a very | | | | |
| good move to prevent | | | | |
| | | | |
| fradulent use/access of information. There | | | | "Network Security" -Compliance |
| are two types of softwares | | | | |
| | | | |
| for Network security, one which prevents it | | | | |
| and one which does the | | | | Most of the industries such as health care |
| | | | and financial |
| forensic analysis. The main focus of this | | | | |
| article would be | | | | institutions are mandated to be compliant |
| | | | with HIPAA and SOX acts. |
| the forensics of network security. | | | | |
| | | | These acts enforce stringent rules in all |
| | | | aspects of the enterprise |
| | | | |
| What is Network Security? | | | | including the physical access of |
| | | | information. (This section |
| network security: the | | | | |
| | | | concetrates on the software requirement of |
| protection of a computer network and its | | | | the acts) There are quite a |
| services from unauthorized | | | | |
| | | | number of agencies that offer the compliance |
| modification, destruction, or | | | | as a service for an |
| | | | |
| disclosure | | | | enterprise. But it all depends on whether |
| | | | you want to handle compliance |
| | | | |
| | | | yourself or employ a third party vendor to |
| Network security is a self-contradicting | | | | ensure compliance to the |
| philosophy where you need to | | | | |
| | | | acts. |
| give absolute access and at the same time | | | | |
| provide absolute security. | | | | HIPAA Compliance: |
| | | | |
| Any enterprise needs to secure itself from | | | | HIPAA defines the Security Standards for |
| two different access of | | | | monitoring and auditing system |
| | | | |
| information/transaction for that | | | | activity. HIPAA regulations mandate |
| matter(ex:ftp,http etc.), internal | | | | analysis of all logs, |
| | | | |
| access and external access. Securing the | | | | including OS |
| access of information or | | | | |
| | | | and application logs including both |
| resources from the external world(WWW) is | | | | perimeter devices, such as IDSs, as |
| quite a task to master, that | | | | |
| | | | well as insider activity. Here are some of |
| is where the firewalls pitch in. The | | | | the important reports that |
| firewalls act as gatekeepers who | | | | |
| | | | need to be in place: |
| seggregate the intrusive and non-intrusive | | | | |
| requests and allow access. | | | | User Logon report: HIPAA requirements |
| | | | (164.308 (a)(5) - |
| Configuring & maintaining a firewall is by | | | | |
| itself a task which | | | | log-in/log-out monitoring) clearly state |
| | | | that user accesses to the |
| needs experience and knowledge. There are no | | | | |
| hard and fast rules | | | | system be recorded and monitored for |
| | | | possible abuse. Remember, this |
| to instruct the firewalls, it depends on | | | | |
| where the firewall is | | | | intent is not just to catch hackers but also |
| | | | to document the accesses |
| installed and how the enterprise intends to | | | | |
| provide access to | | | | to medical details by legitimate users. In |
| | | | most cases, the very fact |
| information/resources. So, the effectivity | | | | |
| of any firewall depends on | | | | that the access is recorded is deterrent |
| | | | enough for malicious activity, |
| how well or how bad you configure it. Please | | | | |
| be informed many firewalls | | | | much like the presence of a surveillance |
| | | | camera in a parking lot.User Logoff report: |
| come with pre-configured rules, which intend | | | | HIPAA requirements clearly state that user |
| to make the job of | | | | |
| | | | accesses to the system be recorded and |
| securing the information access from | | | | monitored for possible abuse. |
| external sources. In short | | | | |
| | | | Remember, this intent is not just to catch |
| firewall gives you information about attacks | | | | hackers but also to document |
| happenning from the | | | | |
| | | | the accesses to medical details by |
| external world. | | | | legitimate users. In most cases, the |
| | | | |
| | | | very fact that the access is recorded is |
| | | | deterrent enough for malicious |
| The toughest job is to secure information | | | | |
| from the internal sources. | | | | activity, much like the presence of a |
| | | | surveillance camera in a parking |
| More than securing it, managers need to | | | | |
| track the information flow, to | | | | lot.Logon Failure report: The security logon |
| | | | feature includes logging |
| identify possible casuatives. The tracking | | | | |
| of information flow will | | | | all unsuccessful login attempts. The user |
| | | | name, date and time are |
| come in handy in case of legal situations. | | | | |
| Because what seemingly to be | | | | included in this report.Audit Logs access |
| | | | report: HIPAA requirements (164.308 (a)(3) - |
| a sharing of information could be held | | | | |
| against you in the court of | | | | review and audit access logs) calls for |
| | | | procedures to regularly review |
| law. To enforce this, acts such as HIPAA, | | | | |
| GLBA, SOX have been | | | | records of information system activity such |
| | | | as audit logs.Security Log Archiving |
| putforth, to ensure that the scam(s) like | | | | Utility:Periodically, the system |
| that of "Enron" does | | | | |
| | | | administrator will be able to back up |
| not happen. In short the tracking of | | | | encrypted copies of the log data |
| information and audit gives you | | | | |
| | | | and restart the logs. |
| information abouot security breaches and | | | | |
| possible internal attacks. | | | | |
| | | | |
| | | | |
| | | | |
| There are a variety of network security | | | | SOX Compliance: |
| attacks/ breaches: | | | | |
| | | | Sarbanes-Oxlet defines the |
| Denial of ServiceVirus attacksUnauthorized | | | | collection,retention and review of audit |
| AccessConfidentiality breachesDestruction of | | | | |
| informationData manipulation | | | | trail log data from all sources under |
| | | | section 404's IT process |
| | | | |
| | | | controls. These logs form the basis of the |
| | | | internal controls that |
| | | | |
| Interestingly , all these information are | | | | provide corporations with the assurance that |
| available across the | | | | financial and business |
| | | | |
| enterprise in the form of log files. But to | | | | information is factual and accurate. Here |
| read it through | | | | are some of the important |
| | | | |
| and making sense out of it, will take a life | | | | reports to look for: |
| time. That is where the | | | | |
| | | | User Logon report:SOX requirements (Sec 302 |
| "Network Security" monitoring also known as | | | | (a)(4)(C) and (D) - |
| "Log Monitoring" softwares | | | | |
| | | | log-in/log-out monitoring) clearly state |
| pitch in. They do a beautiful | | | | that user accesses to the |
| | | | |
| job of making sense out of the information | | | | system be recorded and monitored for |
| spread across various | | | | possible abuse. Remember, this |
| | | | |
| locations and offer the system | | | | intent is not just to catch hackers but also |
| administrators a holistic view of what | | | | to document the accesses |
| | | | |
| is happening in their network, in terms of | | | | to medical details by legitimate users. In |
| Network Security. In short they | | | | most cases, the very fact |
| | | | |
| collect,collate,analyze & produce reports | | | | that the access is recorded is deterrent |
| which help the | | | | enough for malicious activity, |
| | | | |
| system administrator to keep tabs on | | | | much like the presence of a surveillance |
| Network Security. | | | | camera in a parking lot.User Logoff |
| | | | report:SOX requirements (Sec 302 (a)(4)(C) |
| | | | and (D) |
| | | | |
| | | | clearly state that user accesses to the |
| | | | system be recorded and |
| "Network Security" -Monitoring | | | | |
| | | | monitored for possible abuse. Remember, this |
| | | | intent is not just to |
| | | | |
| No matter how fine your defense systems are, | | | | catch hackers but also to document the |
| you need to have someone | | | | accesses to medical details by |
| | | | |
| to make sense out of the huge amount of data | | | | legitimate users. In most cases, the very |
| churned out of a edge | | | | fact that the access is |
| | | | |
| device like firewall and the system logs. | | | | recorded is deterrent enough for malicious |
| The typical enterprise logs | | | | activity, much like the |
| | | | |
| about 2-3GB/day depending upon the | | | | presence of a surveillance camera in a |
| enterprise the size might vary. The | | | | parking lot.Logon Failure reportThe security |
| | | | logon feature includes logging |
| main goal of the forensic software is to | | | | |
| mine through the vast amount | | | | all unsuccessful login attempts. The user |
| | | | name, date and time are |
| of information and pull out events that need | | | | |
| attention. The | | | | included in this report.Audit Logs access |
| | | | report:SOX requirements (Sec 302 (a)(4)(C) |
| "Network security" softwares play a major | | | | and |
| role in identifying the | | | | |
| | | | (D) - review and audit access logs) calls |
| causatives and security breaches that are | | | | for procedures to regularly |
| happenning in the | | | | |
| | | | review records of information system |
| enterprise. | | | | activity such as audit logs.Security Log |
| | | | Archiving Utility:Periodically, the system |
| | | | |
| | | | administrator will be able to back up |
| Some of the major areas that needed to be | | | | encrypted copies of the log data |
| addressed by any network | | | | |
| | | | and restart the logs.Track Account |
| security product is to provide a collective | | | | management changes:Significant changes in the |
| virus attacks across | | | | |
| | | | internal controls sec 302 (a)(6). Changes in |
| different edge devices in the network. What | | | | the security configuration |
| this offers for an | | | | |
| | | | settings such as adding or removing a user |
| enterprise is a holistic view, of the | | | | account to a admistrative |
| attacks happening across the | | | | |
| | | | group. These changes can be tracked by |
| enterprise. It offers a detailed overview | | | | analyzing event logs.Track Audit policy |
| of the bandwidth | | | | changes:Internal controls sec 302 (a)(5) by |
| | | | |
| usage, it should also provide user based | | | | tracking the event logs |
| access reports. The | | | | |
| | | | for any changes in the security audit |
| product has to highlight sescurity breaches | | | | policy.Track individual user actions:Internal |
| and misuse of internet | | | | controls sec 302 (a)(5) by |
| | | | |
| access, this will enable the administrator | | | | auditing user activity.Track application |
| to take the necessary | | | | access:Internal controls sec 302 (a)(5) by |
| | | | |
| steps. The edge devices monitoring product | | | | tracking application |
| has to provide other | | | | |
| | | | process.Track directory / file |
| stuffs like Traffic trends,insight into | | | | access:Internal controls sec 302 (a)(5) |
| capacity planning and Live | | | | |
| | | | for any access violation. |
| traffic monitoring, which will help the | | | | |
| administrator to find causes | | | | |
| | | | |
| for network congestion. | | | | GLBA Compliance: |
| | | | |
| | | | The Financial Services Modernization Act |
| | | | (FMA99) was signed into law in |
| The internal monitoring product has to offer | | | | |
| the audit information of | | | | January 1999 (PL 106-102). Commonly referred |
| | | | to as the |
| users, system security breaches and activity | | | | |
| audit trails (ex: remote | | | | Gramm-Leach-Bliley Act or GLBA, Title V of |
| | | | the Act governs the steps |
| access) As most of the administrators are | | | | |
| ignorant of the requirements | | | | that financial institutions and financial |
| | | | service companies must |
| for the | | | | |
| | | | undertake to ensure the security and |
| compliance acts, it is better to cross | | | | confidentiality of customer |
| reference which acts apply to | | | | |
| | | | information. The Act asserts that financial |
| their enterprise and ensure that the product | | | | services companies |
| supports reporting for the | | | | |
| | | | routinely collect Non-Public Personal |
| compliance acts(please refer here | | | | Information (NPI) from |
| | | | |
| for details on compliance) | | | | individuals, and must notify those |
| | | | individuals when sharing information |
| | | | |
| | | | outside of the company (or affiliate |
| In altoghether they will have to support | | | | structure) and, in some cases, |
| archiving, scheduling of | | | | |
| | | | when using such information in situations |
| reports and a comprehensive list of reports. | | | | not related to the |
| please follow the next | | | | |
| | | | furtherance of a specific financial |
| section for more details. | | | | transaction. |
| | | | |
| | | | User Logon report:GLBA Compliance |
| | | | requirements clearly state that |
| | | | |
| | | | user accesses to the system be recorded and |
| "Network Security" -Forensics | | | | monitored for possible |
| | | | |
| | | | abuse. Remember, this intent is not just to |
| | | | catch hackers but also to |
| The most important features you need to | | | | |
| | | | document the accesses to medical details by |
| lookout,when you short list a network | | | | legitimate users. In most |
| security forensic product is the | | | | |
| | | | cases, the very fact that the access is |
| ability | | | | recorded is deterrent enough |
| | | | |
| to archive the raw records. This is a major | | | | for malicious activity, much like the |
| factor when it comes to | | | | presence of a surveillance camera |
| | | | |
| acts and laws. So in the court of law, the | | | | in a parking lot.User Logoff report:GLBA |
| original record has to be | | | | requirements clearly state that user |
| | | | |
| produced as proof and not the custom format | | | | accesses to the system be recorded and |
| of the vendor. The | | | | monitored for possible abuse. |
| | | | |
| next one to lookout for is the ability to | | | | Remember, this intent is not just to catch |
| create alerts, i.e the | | | | hackers but also to document |
| | | | |
| ability to notify whenever some criteria | | | | the accesses to medical details by |
| happens ex: when 3 | | | | legitimate users. In most cases, the |
| | | | |
| unsuccessfull login attempts mail me kind of | | | | very fact that the access is recorded is |
| stuff, or better still if | | | | deterrent enough for malicious |
| | | | |
| there is a virus attack for from the same | | | | activity, much like the presence of a |
| host more than once, notify | | | | surveillance camera in a parking |
| | | | |
| me etc. This will reduce the lot of manual | | | | lot.Logon Failure report:The security logon |
| intervention needed in | | | | feature includes logging |
| | | | |
| keeping the network secure. Moreover the | | | | all unsuccessful login attempts. The user |
| ability to schedule | | | | name, date and time are |
| | | | |
| reports is a big plus. You don't have to | | | | included in this report.Audit Logs access |
| check the reports daily. Once | | | | report:GLAB requirements (review and audit |
| | | | |
| you have done your ground work as to | | | | access logs) calls for procedures to |
| configure some basic alerts and | | | | regularly review records of |
| | | | |
| some scheduled reports. It should be a | | | | information system activity such as audit |
| cakewalk from then on. All | | | | logs.Security Log Archiving |
| | | | Utility:Periodically, the system |
| you need to do is check out the | | | | |
| information(alerts/reports) you get in | | | | administrator will be able to back up |
| | | | encrypted copies of the log data |
| your inbox. It is recommended that you | | | | |
| configure reports on a weekly | | | | and restart the logs. |
| | | | |
| basis. So that it is never too late to react | | | | |
| to a potential threat. | | | | |
| | | | |
| And finally a comprehensive list of reports | | | | |
| is a vital feature to | | | | Conclusion |
| | | | |
| lookout for. Here is a list of reports that | | | | "Network Security" has to be done both |
| might come in handy | | | | internally as well as |
| | | | |
| for any enterprise: | | | | externally, the job of nailing the problem |
| | | | is a huge task |
| | | | |
| | | | which needs expertise and mostly help from |
| Reports to expect from edge devices such as | | | | softwares such as EventLog |
| a firewall: | | | | Analyzers(compliance and internal monitoring |
| | | | of internal machines) and Firewall |
| Live monitoring Security reportsVirus | | | | Analyzer(virus,attacks |
| reportsAttack reportsTraffic reportsProtocol | | | | |
| usage reportsWeb usage reportsMail usage | | | | and traffic monitoring of edge devices). |