Network Security – The road ahead
- Introduction
- What is Network Security?
- “Network
Security” -Monitoring
- “Network Security” -Forensics
- “Network Security” -Compliance
- Conclusion
Introduction
Network Security is the next wave which is bound to sweep the software
market. Increase in offshore projects and transfer of information
across the wire has added fuel to the burning urge to secure the
network. As the famous adage goes, the most safest computer is
one which has been unplugged from the network(making it almost
useless). Network security
is becoming more of a necessity. Interestingly the type of security
required across different enterprises depends on the nature of its
business. Offlate some laws & acts have been defined to
identify security breaches, which is a very good move to prevent
fradulent use/access of information. There are two types of softwares
for Network security, one which prevents it and one which does the
forensic analysis. The main focus of this article would be
the forensics of network security.
What is Network Security?
network security: the
protection of a computer network and its services from unauthorized
modification, destruction, or
disclosure
Network security is a self-contradicting philosophy where you need to
give absolute access and at the same time provide absolute security.
Any enterprise needs to secure itself from two different access of
information/transaction for that matter(ex:ftp,http etc.), internal
access and external access. Securing the access of information or
resources from the external world(WWW) is quite a task to master, that
is where the firewalls pitch in. The firewalls act as gatekeepers who
seggregate the intrusive and non-intrusive requests and allow access.
Configuring & maintaining a firewall is by itself a task which
needs experience and knowledge. There are no hard and fast rules
to instruct the firewalls, it depends on where the firewall is
installed and how the enterprise intends to provide access to
information/resources. So, the effectivity of any firewall depends on
how well or how bad you configure it. Please be informed many firewalls
come with pre-configured rules, which intend to make the job of
securing the information access from external sources. In short
firewall gives you information about attacks happenning from the
external world.
The toughest job is to secure information from the internal sources.
More than securing it, managers need to track the information flow, to
identify possible casuatives. The tracking of information flow will
come in handy in case of legal situations. Because what seemingly to be
a sharing of information could be held against you in the court of
law. To enforce this, acts such as HIPAA, GLBA, SOX have been
putforth, to ensure that the scam(s) like that of “Enron” does
not happen. In short the tracking of information and audit gives you
information abouot security breaches and possible internal attacks.
There are a variety of network security attacks/ breaches:
- Denial of Service
- Virus attacks
- Unauthorized Access
- Confidentiality breaches
- Destruction of information
- Data manipulation
Interestingly , all these information are available across the
enterprise in the form of log files. But to read it through
and making sense out of it, will take a life time. That is where the
“Network Security” monitoring also known as “Log Monitoring” softwares
pitch in. They do a beautiful
job of making sense out of the information spread across various
locations and offer the system administrators a holistic view of what
is happening in their network, in terms of Network Security. In short they
collect,collate,analyze & produce reports which help the
system administrator to keep tabs on Network Security.
“Network Security” -Monitoring
No matter how fine your defense systems are, you need to have someone
to make sense out of the huge amount of data churned out of a edge
device like firewall and the system logs. The typical enterprise logs
about 2-3GB/day depending upon the enterprise the size might vary. The
main goal of the forensic software is to mine through the vast amount
of information and pull out events that need attention. The
“Network security” softwares play a major role in identifying the
causatives and security breaches that are happenning in the
enterprise.
Some of the major areas that needed to be addressed by any network
security product is to provide a collective virus attacks across
different edge devices in the network. What this offers for an
enterprise is a holistic view, of the attacks happening across the
enterprise. It offers a detailed overview of the bandwidth
usage, it should also provide user based access reports. The
product has to highlight sescurity breaches and misuse of internet
access, this will enable the administrator to take the necessary
steps. The edge devices monitoring product has to provide other
stuffs like Traffic trends,insight into capacity planning and Live
traffic monitoring, which will help the administrator to find causes
for network congestion.
The internal monitoring product has to offer the audit information of
users, system security breaches and activity audit trails (ex: remote
access) As most of the administrators are ignorant of the requirements
for the
compliance acts, it is better to cross reference which acts apply to
their enterprise and ensure that the product supports reporting for the
compliance acts(please refer
href=”#Compliance” rel=”nofollow”>here
for details on compliance)
In altoghether they will have to support archiving, scheduling of
reports and a comprehensive list of reports. please follow the next
section for more details.
“Network Security” -Forensics
The most important features you need to
lookout,when you short list a network security forensic product is the
ability
to archive the raw records. This is a major factor when it comes to
acts and laws. So in the court of law, the original record has to be
produced as proof and not the custom format of the vendor. The
next one to lookout for is the ability to create alerts, i.e the
ability to notify whenever some criteria happens ex: when 3
unsuccessfull login attempts mail me kind of stuff, or better still if
there is a virus attack for from the same host more than once, notify
me etc. This will reduce the lot of manual intervention needed in
keeping the network secure. Moreover the ability to schedule
reports is a big plus. You don’t have to check the reports daily. Once
you have done your ground work as to configure some basic alerts and
some scheduled reports. It should be a cakewalk from then on. All
you need to do is check out the information(alerts/reports) you get in
your inbox. It is recommended that you configure reports on a weekly
basis. So that it is never too late to react to a potential threat.
And finally a comprehensive list of reports is a vital feature to
lookout for. Here is a list of reports that might come in handy
for any enterprise:
Reports to expect from edge devices such as a firewall:
- Live monitoring
Security reports
Virus reports
Attack reports
Traffic reports
Protocol usage reports
Web usage reports
Mail usage reports
FTP usage reports
Telnet usage reports
VPN reports
Inbound/Outbound traffic reports
Intranet reports
Internet reports
Trend reports
Reports to expect from compliance and internal monitoring:
( see compliance sub-heading for reports on compliance)
- User Audit reports (successfull/unsuccessful login attempts)
- Audit policy changes (ex: change in privileges etc)
- Password changes
- Account Lockout
- User account changes
- IIS reports
- DHCP reports
- MSI reports( lists the products installed/uninstalled)
- Group policy changes
- RPC reports
- DNS reports
- Active directory reports
The gating factor for choosing a monitoring product is to cross verify
whether the devices you have in your network are supported by the
vendor you choose. There are quite a number of products which
address this market, you might want to search for “firewall analyzer”
and “eventlog analyzer” in google.
“Network Security” -Compliance
Most of the industries such as health care and financial
institutions are mandated to be compliant with HIPAA and SOX acts.
These acts enforce stringent rules in all aspects of the enterprise
including the physical access of information. (This section
concetrates on the software requirement of the acts) There are quite a
number of agencies that offer the compliance as a service for an
enterprise. But it all depends on whether you want to handle compliance
yourself or employ a third party vendor to ensure compliance to the
acts.
HIPAA Compliance:
HIPAA defines the Security Standards for monitoring and auditing system
activity. HIPAA regulations mandate analysis of all logs,
including OS
and application logs including both perimeter devices, such as IDSs, as
well as insider activity. Here are some of the important reports that
need to be in place:
- User Logon report: HIPAA requirements (164.308 (a)(5) -
log-in/log-out monitoring) clearly state that user accesses to the
system be recorded and monitored for possible abuse. Remember, this
intent is not just to catch hackers but also to document the accesses
to medical details by legitimate users. In most cases, the very fact
that the access is recorded is deterrent enough for malicious activity,
much like the presence of a surveillance camera in a parking lot.
- User Logoff report: HIPAA requirements clearly state that user
accesses to the system be recorded and monitored for possible abuse.
Remember, this intent is not just to catch hackers but also to document
the accesses to medical details by legitimate users. In most cases, the
very fact that the access is recorded is deterrent enough for malicious
activity, much like the presence of a surveillance camera in a parking
lot.
- Logon Failure report: The security logon feature includes logging
all unsuccessful login attempts. The user name, date and time are
included in this report.
- Audit Logs access report: HIPAA requirements (164.308 (a)(3) -
review and audit access logs) calls for procedures to regularly review
records of information system activity such as audit logs.
- Security Log Archiving Utility:Periodically, the system
administrator will be able to back up encrypted copies of the log data
and restart the logs.
SOX Compliance:
Sarbanes-Oxlet defines the collection,retention and review of audit
trail log data from all sources under section 404’s IT process
controls. These logs form the basis of the internal controls that
provide corporations with the assurance that financial and business
information is factual and accurate. Here are some of the important
reports to look for:
- User Logon report:SOX requirements (Sec 302 (a)(4)(C) and (D) -
log-in/log-out monitoring) clearly state that user accesses to the
system be recorded and monitored for possible abuse. Remember, this
intent is not just to catch hackers but also to document the accesses
to medical details by legitimate users. In most cases, the very fact
that the access is recorded is deterrent enough for malicious activity,
much like the presence of a surveillance camera in a parking lot.
- User Logoff report:SOX requirements (Sec 302 (a)(4)(C) and (D)
clearly state that user accesses to the system be recorded and
monitored for possible abuse. Remember, this intent is not just to
catch hackers but also to document the accesses to medical details by
legitimate users. In most cases, the very fact that the access is
recorded is deterrent enough for malicious activity, much like the
presence of a surveillance camera in a parking lot.
- Logon Failure reportThe security logon feature includes logging
all unsuccessful login attempts. The user name, date and time are
included in this report.
- Audit Logs access report:SOX requirements (Sec 302 (a)(4)(C) and
(D) – review and audit access logs) calls for procedures to regularly
review records of information system activity such as audit logs.
- Security Log Archiving Utility:Periodically, the system
administrator will be able to back up encrypted copies of the log data
and restart the logs.
- Track Account management changes:Significant changes in the
internal controls sec 302 (a)(6). Changes in the security configuration
settings such as adding or removing a user account to a admistrative
group. These changes can be tracked by analyzing event logs.
- Track Audit policy changes:Internal controls sec 302 (a)(5) by
tracking the event logs
for any changes in the security audit policy.
- Track individual user actions:Internal controls sec 302 (a)(5) by
auditing user activity.
- Track application access:Internal controls sec 302 (a)(5) by
tracking application
process.
- Track directory / file access:Internal controls sec 302 (a)(5)
for any access violation.
GLBA Compliance:
The Financial Services Modernization Act (FMA99) was signed into law in
January 1999 (PL 106-102). Commonly referred to as the
Gramm-Leach-Bliley Act or GLBA, Title V of the Act governs the steps
that financial institutions and financial service companies must
undertake to ensure the security and confidentiality of customer
information. The Act asserts that financial services companies
routinely collect Non-Public Personal Information (NPI) from
individuals, and must notify those individuals when sharing information
outside of the company (or affiliate structure) and, in some cases,
when using such information in situations not related to the
furtherance of a specific financial transaction.
- User Logon report:GLBA Compliance requirements clearly state that
user accesses to the system be recorded and monitored for possible
abuse. Remember, this intent is not just to catch hackers but also to
document the accesses to medical details by legitimate users. In most
cases, the very fact that the access is recorded is deterrent enough
for malicious activity, much like the presence of a surveillance camera
in a parking lot.
- User Logoff report:GLBA requirements clearly state that user
accesses to the system be recorded and monitored for possible abuse.
Remember, this intent is not just to catch hackers but also to document
the accesses to medical details by legitimate users. In most cases, the
very fact that the access is recorded is deterrent enough for malicious
activity, much like the presence of a surveillance camera in a parking
lot.
- Logon Failure report:The security logon feature includes logging
all unsuccessful login attempts. The user name, date and time are
included in this report.
- Audit Logs access report:GLAB requirements (review and audit
access logs) calls for procedures to regularly review records of
information system activity such as audit logs.
- Security Log Archiving Utility:Periodically, the system
administrator will be able to back up encrypted copies of the log data
and restart the logs.
Conclusion
“Network Security” has to be done both internally as well as
externally, the job of nailing the problem is a huge task
which needs expertise and mostly help from softwares such as EventLog Analyzers(compliance and internal monitoring of internal machines) and Firewall Analyzer(virus,attacks
and traffic monitoring of edge devices).
Bibliography
http://www.interhack.net/pubs/network-security/
http://www.hipaa.org/
http://www.sarbanes-oxley.com/
http://www.senate.gov/~banking/conf/
About the Author
The author is the product manager of a suite of network security products Firewall Analyzer and EventLog Analyzer. The author is part of the software companyAdventNet
-Ramesh-
