Network Security - The Road Ahead

Network Security - The road ahead
IntroductionWhat is Network Security?"Network
Security" -Monitoring"Network Security" -ForensicsReports to expect from compliance and internal
"Network Security"monitoring:
-ComplianceHIPAASOXGLBAConclusion( see compliance sub-heading for reports on
compliance)
User Audit reports (successfull/unsuccessful login
Introductionattempts)Audit policy changes (ex: change in
Network Security is the next wave which is boundprivileges etc)Password changesAccount LockoutUser
to sweep the softwareaccount changesIIS reportsDHCP reportsMSI reports(
market. Increase in offshore projects and transferlists the products installed/uninstalled)Group policy
of informationchangesRPC reportsDNS reportsActive directory
across the wire has added fuel to the burning urgereports
to secure the
network. As the famous adage goes, the mostThe gating factor for choosing a monitoring product
safest computer isis to cross verify
one which has been unplugged from thewhether the devices you have in your network are
network(making it almostsupported by the
useless). Network securityvendor you choose. There are quite a number of
is becoming more of a necessity. Interestingly theproducts which
type of securityaddress this market, you might want to search for
required across different enterprises depends on the"firewall analyzer"
nature of itsand "eventlog analyzer" in google.
business. Offlate some laws & acts have been
defined to
identify security breaches, which is a very good"Network Security" -Compliance
move to prevent
fradulent use/access of information. There are twoMost of the industries such as health care and
types of softwaresfinancial
for Network security, one which prevents it and oneinstitutions are mandated to be compliant with
which does theHIPAA and SOX acts.
forensic analysis. The main focus of this article wouldThese acts enforce stringent rules in all aspects of
bethe enterprise
the forensics of network security.including the physical access of information. (This
section
What is Network Security?concetrates on the software requirement of the
network security: theacts) There are quite a
protection of a computer network and its servicesnumber of agencies that offer the compliance as a
from unauthorizedservice for an
modification, destruction, orenterprise. But it all depends on whether you want
disclosureto handle compliance
yourself or employ a third party vendor to ensure
Network security is a self-contradicting philosophycompliance to the
where you need toacts.
give absolute access and at the same time provideHIPAA Compliance:
absolute security.HIPAA defines the Security Standards for monitoring
Any enterprise needs to secure itself from twoand auditing system
different access ofactivity. HIPAA regulations mandate analysis of all
information/transaction for that matter(ex:ftp,httplogs,
etc.), internalincluding OS
access and external access. Securing the access ofand application logs including both perimeter devices,
information orsuch as IDSs, as
resources from the external world(WWW) is quite awell as insider activity. Here are some of the
task to master, thatimportant reports that
is where the firewalls pitch in. The firewalls act asneed to be in place:
gatekeepers whoUser Logon report: HIPAA requirements (164.308
seggregate the intrusive and non-intrusive requests(a)(5) -
and allow access.log-in/log-out monitoring) clearly state that user
Configuring & maintaining a firewall is by itself a taskaccesses to the
whichsystem be recorded and monitored for possible
needs experience and knowledge. There are no hardabuse. Remember, this
and fast rulesintent is not just to catch hackers but also to
to instruct the firewalls, it depends on where thedocument the accesses
firewall isto medical details by legitimate users. In most cases,
installed and how the enterprise intends to providethe very fact
access tothat the access is recorded is deterrent enough for
information/resources. So, the effectivity of anymalicious activity,
firewall depends onmuch like the presence of a surveillance camera in a
how well or how bad you configure it. Please beparking lot.User Logoff report: HIPAA requirements
informed many firewallsclearly state that user
come with pre-configured rules, which intend toaccesses to the system be recorded and monitored
make the job offor possible abuse.
securing the information access from externalRemember, this intent is not just to catch hackers
sources. In shortbut also to document
firewall gives you information about attacksthe accesses to medical details by legitimate users.
happenning from theIn most cases, the
external world.very fact that the access is recorded is deterrent
enough for malicious
The toughest job is to secure information from theactivity, much like the presence of a surveillance
internal sources.camera in a parking
More than securing it, managers need to track thelot.Logon Failure report: The security logon feature
information flow, toincludes logging
identify possible casuatives. The tracking ofall unsuccessful login attempts. The user name, date
information flow willand time are
come in handy in case of legal situations. Becauseincluded in this report.Audit Logs access report:
what seemingly to beHIPAA requirements (164.308 (a)(3) -
a sharing of information could be held against you inreview and audit access logs) calls for procedures to
the court ofregularly review
law. To enforce this, acts such as HIPAA, GLBA,records of information system activity such as audit
SOX have beenlogs.Security Log Archiving Utility:Periodically, the
putforth, to ensure that the scam(s) like that ofsystem
"Enron" doesadministrator will be able to back up encrypted
not happen. In short the tracking of information andcopies of the log data
audit gives youand restart the logs.
information abouot security breaches and possible
internal attacks.
SOX Compliance:
There are a variety of network security attacks/Sarbanes-Oxlet defines the collection,retention and
breaches:review of audit
Denial of ServiceVirus attacksUnauthorizedtrail log data from all sources under section 404's IT
AccessConfidentiality breachesDestruction ofprocess
informationData manipulationcontrols. These logs form the basis of the internal
controls that
provide corporations with the assurance that financial
Interestingly , all these information are availableand business
across theinformation is factual and accurate. Here are some
enterprise in the form of log files. But to read itof the important
throughreports to look for:
and making sense out of it, will take a life time. ThatUser Logon report:SOX requirements (Sec 302
is where the(a)(4)(C) and (D) -
"Network Security" monitoring also known as "Loglog-in/log-out monitoring) clearly state that user
Monitoring" softwaresaccesses to the
pitch in. They do a beautifulsystem be recorded and monitored for possible
job of making sense out of the information spreadabuse. Remember, this
across variousintent is not just to catch hackers but also to
locations and offer the system administrators adocument the accesses
holistic view of whatto medical details by legitimate users. In most cases,
is happening in their network, in terms of Networkthe very fact
Security. In short theythat the access is recorded is deterrent enough for
collect,collate,analyze & produce reports which helpmalicious activity,
themuch like the presence of a surveillance camera in a
system administrator to keep tabs on Networkparking lot.User Logoff report:SOX requirements (Sec
Security.302 (a)(4)(C) and (D)
clearly state that user accesses to the system be
recorded and
"Network Security" -Monitoringmonitored for possible abuse. Remember, this intent
is not just to
No matter how fine your defense systems are, youcatch hackers but also to document the accesses to
need to have someonemedical details by
to make sense out of the huge amount of datalegitimate users. In most cases, the very fact that
churned out of a edgethe access is
device like firewall and the system logs. The typicalrecorded is deterrent enough for malicious activity,
enterprise logsmuch like the
about 2-3GB/day depending upon the enterprise thepresence of a surveillance camera in a parking
size might vary. Thelot.Logon Failure reportThe security logon feature
main goal of the forensic software is to mineincludes logging
through the vast amountall unsuccessful login attempts. The user name, date
of information and pull out events that needand time are
attention. Theincluded in this report.Audit Logs access report:SOX
"Network security" softwares play a major role inrequirements (Sec 302 (a)(4)(C) and
identifying the(D) - review and audit access logs) calls for
causatives and security breaches that areprocedures to regularly
happenning in thereview records of information system activity such
enterprise.as audit logs.Security Log Archiving Utility:Periodically,
the system
Some of the major areas that needed to beadministrator will be able to back up encrypted
addressed by any networkcopies of the log data
security product is to provide a collective virusand restart the logs.Track Account management
attacks acrosschanges:Significant changes in the
different edge devices in the network. What thisinternal controls sec 302 (a)(6). Changes in the
offers for ansecurity configuration
enterprise is a holistic view, of the attacks happeningsettings such as adding or removing a user account
across theto a admistrative
enterprise. It offers a detailed overview of thegroup. These changes can be tracked by analyzing
bandwidthevent logs.Track Audit policy changes:Internal controls
usage, it should also provide user based accesssec 302 (a)(5) by
reports. Thetracking the event logs
product has to highlight sescurity breaches andfor any changes in the security audit policy.Track
misuse of internetindividual user actions:Internal controls sec 302 (a)(5)
access, this will enable the administrator to take theby
necessaryauditing user activity.Track application access:Internal
steps. The edge devices monitoring product has tocontrols sec 302 (a)(5) by
provide othertracking application
stuffs like Traffic trends,insight into capacity planningprocess.Track directory / file access:Internal controls
and Livesec 302 (a)(5)
traffic monitoring, which will help the administrator tofor any access violation.
find causes
for network congestion.GLBA Compliance:
The Financial Services Modernization Act (FMA99)
The internal monitoring product has to offer thewas signed into law in
audit information ofJanuary 1999 (PL 106-102). Commonly referred to as
users, system security breaches and activity auditthe
trails (ex: remoteGramm-Leach-Bliley Act or GLBA, Title V of the Act
access) As most of the administrators are ignorantgoverns the steps
of the requirementsthat financial institutions and financial service
for thecompanies must
compliance acts, it is better to cross referenceundertake to ensure the security and confidentiality
which acts apply toof customer
their enterprise and ensure that the productinformation. The Act asserts that financial services
supports reporting for thecompanies
compliance acts(please refer hereroutinely collect Non-Public Personal Information (NPI)
for details on compliance)from
individuals, and must notify those individuals when
In altoghether they will have to support archiving,sharing information
scheduling ofoutside of the company (or affiliate structure) and,
reports and a comprehensive list of reports. pleasein some cases,
follow the nextwhen using such information in situations not related
section for more details.to the
furtherance of a specific financial transaction.
User Logon report:GLBA Compliance requirements
"Network Security" -Forensicsclearly state that
user accesses to the system be recorded and
The most important features you need tomonitored for possible
lookout,when you short list a network securityabuse. Remember, this intent is not just to catch
forensic product is thehackers but also to
abilitydocument the accesses to medical details by
to archive the raw records. This is a major factorlegitimate users. In most
when it comes tocases, the very fact that the access is recorded is
acts and laws. So in the court of law, the originaldeterrent enough
record has to befor malicious activity, much like the presence of a
produced as proof and not the custom format ofsurveillance camera
the vendor. Thein a parking lot.User Logoff report:GLBA
next one to lookout for is the ability to createrequirements clearly state that user
alerts, i.e theaccesses to the system be recorded and monitored
ability to notify whenever some criteria happens ex:for possible abuse.
when 3Remember, this intent is not just to catch hackers
unsuccessfull login attempts mail me kind of stuff, orbut also to document
better still ifthe accesses to medical details by legitimate users.
there is a virus attack for from the same host moreIn most cases, the
than once, notifyvery fact that the access is recorded is deterrent
me etc. This will reduce the lot of manualenough for malicious
intervention needed inactivity, much like the presence of a surveillance
keeping the network secure. Moreover the ability tocamera in a parking
schedulelot.Logon Failure report:The security logon feature
reports is a big plus. You don't have to check theincludes logging
reports daily. Onceall unsuccessful login attempts. The user name, date
you have done your ground work as to configureand time are
some basic alerts andincluded in this report.Audit Logs access report:GLAB
some scheduled reports. It should be a cakewalkrequirements (review and audit
from then on. Allaccess logs) calls for procedures to regularly review
you need to do is check out the information(alertsrecords of
reports) you get ininformation system activity such as audit
your inbox. It is recommended that you configurelogs.Security Log Archiving Utility:Periodically, the
reports on a weeklysystem
basis. So that it is never too late to react to aadministrator will be able to back up encrypted
potential threat.copies of the log data
And finally a comprehensive list of reports is a vitaland restart the logs.
feature to
lookout for. Here is a list of reports that might come
in handyConclusion
for any enterprise:"Network Security" has to be done both internally as
well as
Reports to expect from edge devices such as aexternally, the job of nailing the problem is a huge
firewall:task
Live monitoring Security reportsVirus reportsAttackwhich needs expertise and mostly help from
reportsTraffic reportsProtocol usage reportsWebsoftwares such as EventLog Analyzers(compliance
usage reportsMail usage reportsFTP usageand internal monitoring of internal machines) and
reportsTelnet usage reportsVPN reportsInboundFirewall Analyzer(virus,attacks
Outbound traffic reportsIntranet reportsInternetand traffic monitoring of edge devices).
reportsTrend reports