| Network Security - The road ahead | | | | |
| IntroductionWhat is Network Security?"Network | | | | |
| Security" -Monitoring"Network Security" -Forensics | | | | Reports to expect from compliance and internal |
| "Network Security" | | | | monitoring: |
| -ComplianceHIPAASOXGLBAConclusion | | | | ( see compliance sub-heading for reports on |
| | | | compliance) |
| | | | User Audit reports (successfull/unsuccessful login |
| Introduction | | | | attempts)Audit policy changes (ex: change in |
| Network Security is the next wave which is bound | | | | privileges etc)Password changesAccount LockoutUser |
| to sweep the software | | | | account changesIIS reportsDHCP reportsMSI reports( |
| market. Increase in offshore projects and transfer | | | | lists the products installed/uninstalled)Group policy |
| of information | | | | changesRPC reportsDNS reportsActive directory |
| across the wire has added fuel to the burning urge | | | | reports |
| to secure the | | | | |
| network. As the famous adage goes, the most | | | | The gating factor for choosing a monitoring product |
| safest computer is | | | | is to cross verify |
| one which has been unplugged from the | | | | whether the devices you have in your network are |
| network(making it almost | | | | supported by the |
| useless). Network security | | | | vendor you choose. There are quite a number of |
| is becoming more of a necessity. Interestingly the | | | | products which |
| type of security | | | | address this market, you might want to search for |
| required across different enterprises depends on the | | | | "firewall analyzer" |
| nature of its | | | | and "eventlog analyzer" in google. |
| business. Offlate some laws & acts have been | | | | |
| defined to | | | | |
| identify security breaches, which is a very good | | | | "Network Security" -Compliance |
| move to prevent | | | | |
| fradulent use/access of information. There are two | | | | Most of the industries such as health care and |
| types of softwares | | | | financial |
| for Network security, one which prevents it and one | | | | institutions are mandated to be compliant with |
| which does the | | | | HIPAA and SOX acts. |
| forensic analysis. The main focus of this article would | | | | These acts enforce stringent rules in all aspects of |
| be | | | | the enterprise |
| the forensics of network security. | | | | including the physical access of information. (This |
| | | | section |
| What is Network Security? | | | | concetrates on the software requirement of the |
| network security: the | | | | acts) There are quite a |
| protection of a computer network and its services | | | | number of agencies that offer the compliance as a |
| from unauthorized | | | | service for an |
| modification, destruction, or | | | | enterprise. But it all depends on whether you want |
| disclosure | | | | to handle compliance |
| | | | yourself or employ a third party vendor to ensure |
| Network security is a self-contradicting philosophy | | | | compliance to the |
| where you need to | | | | acts. |
| give absolute access and at the same time provide | | | | HIPAA Compliance: |
| absolute security. | | | | HIPAA defines the Security Standards for monitoring |
| Any enterprise needs to secure itself from two | | | | and auditing system |
| different access of | | | | activity. HIPAA regulations mandate analysis of all |
| information/transaction for that matter(ex:ftp,http | | | | logs, |
| etc.), internal | | | | including OS |
| access and external access. Securing the access of | | | | and application logs including both perimeter devices, |
| information or | | | | such as IDSs, as |
| resources from the external world(WWW) is quite a | | | | well as insider activity. Here are some of the |
| task to master, that | | | | important reports that |
| is where the firewalls pitch in. The firewalls act as | | | | need to be in place: |
| gatekeepers who | | | | User Logon report: HIPAA requirements (164.308 |
| seggregate the intrusive and non-intrusive requests | | | | (a)(5) - |
| and allow access. | | | | log-in/log-out monitoring) clearly state that user |
| Configuring & maintaining a firewall is by itself a task | | | | accesses to the |
| which | | | | system be recorded and monitored for possible |
| needs experience and knowledge. There are no hard | | | | abuse. Remember, this |
| and fast rules | | | | intent is not just to catch hackers but also to |
| to instruct the firewalls, it depends on where the | | | | document the accesses |
| firewall is | | | | to medical details by legitimate users. In most cases, |
| installed and how the enterprise intends to provide | | | | the very fact |
| access to | | | | that the access is recorded is deterrent enough for |
| information/resources. So, the effectivity of any | | | | malicious activity, |
| firewall depends on | | | | much like the presence of a surveillance camera in a |
| how well or how bad you configure it. Please be | | | | parking lot.User Logoff report: HIPAA requirements |
| informed many firewalls | | | | clearly state that user |
| come with pre-configured rules, which intend to | | | | accesses to the system be recorded and monitored |
| make the job of | | | | for possible abuse. |
| securing the information access from external | | | | Remember, this intent is not just to catch hackers |
| sources. In short | | | | but also to document |
| firewall gives you information about attacks | | | | the accesses to medical details by legitimate users. |
| happenning from the | | | | In most cases, the |
| external world. | | | | very fact that the access is recorded is deterrent |
| | | | enough for malicious |
| The toughest job is to secure information from the | | | | activity, much like the presence of a surveillance |
| internal sources. | | | | camera in a parking |
| More than securing it, managers need to track the | | | | lot.Logon Failure report: The security logon feature |
| information flow, to | | | | includes logging |
| identify possible casuatives. The tracking of | | | | all unsuccessful login attempts. The user name, date |
| information flow will | | | | and time are |
| come in handy in case of legal situations. Because | | | | included in this report.Audit Logs access report: |
| what seemingly to be | | | | HIPAA requirements (164.308 (a)(3) - |
| a sharing of information could be held against you in | | | | review and audit access logs) calls for procedures to |
| the court of | | | | regularly review |
| law. To enforce this, acts such as HIPAA, GLBA, | | | | records of information system activity such as audit |
| SOX have been | | | | logs.Security Log Archiving Utility:Periodically, the |
| putforth, to ensure that the scam(s) like that of | | | | system |
| "Enron" does | | | | administrator will be able to back up encrypted |
| not happen. In short the tracking of information and | | | | copies of the log data |
| audit gives you | | | | and restart the logs. |
| information abouot security breaches and possible | | | | |
| internal attacks. | | | | |
| | | | SOX Compliance: |
| There are a variety of network security attacks/ | | | | Sarbanes-Oxlet defines the collection,retention and |
| breaches: | | | | review of audit |
| Denial of ServiceVirus attacksUnauthorized | | | | trail log data from all sources under section 404's IT |
| AccessConfidentiality breachesDestruction of | | | | process |
| informationData manipulation | | | | controls. These logs form the basis of the internal |
| | | | controls that |
| | | | provide corporations with the assurance that financial |
| Interestingly , all these information are available | | | | and business |
| across the | | | | information is factual and accurate. Here are some |
| enterprise in the form of log files. But to read it | | | | of the important |
| through | | | | reports to look for: |
| and making sense out of it, will take a life time. That | | | | User Logon report:SOX requirements (Sec 302 |
| is where the | | | | (a)(4)(C) and (D) - |
| "Network Security" monitoring also known as "Log | | | | log-in/log-out monitoring) clearly state that user |
| Monitoring" softwares | | | | accesses to the |
| pitch in. They do a beautiful | | | | system be recorded and monitored for possible |
| job of making sense out of the information spread | | | | abuse. Remember, this |
| across various | | | | intent is not just to catch hackers but also to |
| locations and offer the system administrators a | | | | document the accesses |
| holistic view of what | | | | to medical details by legitimate users. In most cases, |
| is happening in their network, in terms of Network | | | | the very fact |
| Security. In short they | | | | that the access is recorded is deterrent enough for |
| collect,collate,analyze & produce reports which help | | | | malicious activity, |
| the | | | | much like the presence of a surveillance camera in a |
| system administrator to keep tabs on Network | | | | parking lot.User Logoff report:SOX requirements (Sec |
| Security. | | | | 302 (a)(4)(C) and (D) |
| | | | clearly state that user accesses to the system be |
| | | | recorded and |
| "Network Security" -Monitoring | | | | monitored for possible abuse. Remember, this intent |
| | | | is not just to |
| No matter how fine your defense systems are, you | | | | catch hackers but also to document the accesses to |
| need to have someone | | | | medical details by |
| to make sense out of the huge amount of data | | | | legitimate users. In most cases, the very fact that |
| churned out of a edge | | | | the access is |
| device like firewall and the system logs. The typical | | | | recorded is deterrent enough for malicious activity, |
| enterprise logs | | | | much like the |
| about 2-3GB/day depending upon the enterprise the | | | | presence of a surveillance camera in a parking |
| size might vary. The | | | | lot.Logon Failure reportThe security logon feature |
| main goal of the forensic software is to mine | | | | includes logging |
| through the vast amount | | | | all unsuccessful login attempts. The user name, date |
| of information and pull out events that need | | | | and time are |
| attention. The | | | | included in this report.Audit Logs access report:SOX |
| "Network security" softwares play a major role in | | | | requirements (Sec 302 (a)(4)(C) and |
| identifying the | | | | (D) - review and audit access logs) calls for |
| causatives and security breaches that are | | | | procedures to regularly |
| happenning in the | | | | review records of information system activity such |
| enterprise. | | | | as audit logs.Security Log Archiving Utility:Periodically, |
| | | | the system |
| Some of the major areas that needed to be | | | | administrator will be able to back up encrypted |
| addressed by any network | | | | copies of the log data |
| security product is to provide a collective virus | | | | and restart the logs.Track Account management |
| attacks across | | | | changes:Significant changes in the |
| different edge devices in the network. What this | | | | internal controls sec 302 (a)(6). Changes in the |
| offers for an | | | | security configuration |
| enterprise is a holistic view, of the attacks happening | | | | settings such as adding or removing a user account |
| across the | | | | to a admistrative |
| enterprise. It offers a detailed overview of the | | | | group. These changes can be tracked by analyzing |
| bandwidth | | | | event logs.Track Audit policy changes:Internal controls |
| usage, it should also provide user based access | | | | sec 302 (a)(5) by |
| reports. The | | | | tracking the event logs |
| product has to highlight sescurity breaches and | | | | for any changes in the security audit policy.Track |
| misuse of internet | | | | individual user actions:Internal controls sec 302 (a)(5) |
| access, this will enable the administrator to take the | | | | by |
| necessary | | | | auditing user activity.Track application access:Internal |
| steps. The edge devices monitoring product has to | | | | controls sec 302 (a)(5) by |
| provide other | | | | tracking application |
| stuffs like Traffic trends,insight into capacity planning | | | | process.Track directory / file access:Internal controls |
| and Live | | | | sec 302 (a)(5) |
| traffic monitoring, which will help the administrator to | | | | for any access violation. |
| find causes | | | | |
| for network congestion. | | | | GLBA Compliance: |
| | | | The Financial Services Modernization Act (FMA99) |
| The internal monitoring product has to offer the | | | | was signed into law in |
| audit information of | | | | January 1999 (PL 106-102). Commonly referred to as |
| users, system security breaches and activity audit | | | | the |
| trails (ex: remote | | | | Gramm-Leach-Bliley Act or GLBA, Title V of the Act |
| access) As most of the administrators are ignorant | | | | governs the steps |
| of the requirements | | | | that financial institutions and financial service |
| for the | | | | companies must |
| compliance acts, it is better to cross reference | | | | undertake to ensure the security and confidentiality |
| which acts apply to | | | | of customer |
| their enterprise and ensure that the product | | | | information. The Act asserts that financial services |
| supports reporting for the | | | | companies |
| compliance acts(please refer here | | | | routinely collect Non-Public Personal Information (NPI) |
| for details on compliance) | | | | from |
| | | | individuals, and must notify those individuals when |
| In altoghether they will have to support archiving, | | | | sharing information |
| scheduling of | | | | outside of the company (or affiliate structure) and, |
| reports and a comprehensive list of reports. please | | | | in some cases, |
| follow the next | | | | when using such information in situations not related |
| section for more details. | | | | to the |
| | | | furtherance of a specific financial transaction. |
| | | | User Logon report:GLBA Compliance requirements |
| "Network Security" -Forensics | | | | clearly state that |
| | | | user accesses to the system be recorded and |
| The most important features you need to | | | | monitored for possible |
| lookout,when you short list a network security | | | | abuse. Remember, this intent is not just to catch |
| forensic product is the | | | | hackers but also to |
| ability | | | | document the accesses to medical details by |
| to archive the raw records. This is a major factor | | | | legitimate users. In most |
| when it comes to | | | | cases, the very fact that the access is recorded is |
| acts and laws. So in the court of law, the original | | | | deterrent enough |
| record has to be | | | | for malicious activity, much like the presence of a |
| produced as proof and not the custom format of | | | | surveillance camera |
| the vendor. The | | | | in a parking lot.User Logoff report:GLBA |
| next one to lookout for is the ability to create | | | | requirements clearly state that user |
| alerts, i.e the | | | | accesses to the system be recorded and monitored |
| ability to notify whenever some criteria happens ex: | | | | for possible abuse. |
| when 3 | | | | Remember, this intent is not just to catch hackers |
| unsuccessfull login attempts mail me kind of stuff, or | | | | but also to document |
| better still if | | | | the accesses to medical details by legitimate users. |
| there is a virus attack for from the same host more | | | | In most cases, the |
| than once, notify | | | | very fact that the access is recorded is deterrent |
| me etc. This will reduce the lot of manual | | | | enough for malicious |
| intervention needed in | | | | activity, much like the presence of a surveillance |
| keeping the network secure. Moreover the ability to | | | | camera in a parking |
| schedule | | | | lot.Logon Failure report:The security logon feature |
| reports is a big plus. You don't have to check the | | | | includes logging |
| reports daily. Once | | | | all unsuccessful login attempts. The user name, date |
| you have done your ground work as to configure | | | | and time are |
| some basic alerts and | | | | included in this report.Audit Logs access report:GLAB |
| some scheduled reports. It should be a cakewalk | | | | requirements (review and audit |
| from then on. All | | | | access logs) calls for procedures to regularly review |
| you need to do is check out the information(alerts | | | | records of |
| reports) you get in | | | | information system activity such as audit |
| your inbox. It is recommended that you configure | | | | logs.Security Log Archiving Utility:Periodically, the |
| reports on a weekly | | | | system |
| basis. So that it is never too late to react to a | | | | administrator will be able to back up encrypted |
| potential threat. | | | | copies of the log data |
| And finally a comprehensive list of reports is a vital | | | | and restart the logs. |
| feature to | | | | |
| lookout for. Here is a list of reports that might come | | | | |
| in handy | | | | Conclusion |
| for any enterprise: | | | | "Network Security" has to be done both internally as |
| | | | well as |
| Reports to expect from edge devices such as a | | | | externally, the job of nailing the problem is a huge |
| firewall: | | | | task |
| Live monitoring Security reportsVirus reportsAttack | | | | which needs expertise and mostly help from |
| reportsTraffic reportsProtocol usage reportsWeb | | | | softwares such as EventLog Analyzers(compliance |
| usage reportsMail usage reportsFTP usage | | | | and internal monitoring of internal machines) and |
| reportsTelnet usage reportsVPN reportsInbound | | | | Firewall Analyzer(virus,attacks |
| Outbound traffic reportsIntranet reportsInternet | | | | and traffic monitoring of edge devices). |
| reportsTrend reports | | | | |