| Network Security - The road ahead
| |
| | ( see compliance sub-heading for reports
|
| IntroductionWhat is Network
| |
| | on compliance)
|
| Security?"Network
| |
| | User Audit reports (successfull
|
| Security" -Monitoring"Network Security"
| |
| | unsuccessful login attempts)Audit policy
|
| -Forensics "Network Security"
| |
| | changes (ex: change in privileges
|
| -ComplianceHIPAASOXGLBAConclusion
| |
| | etc)Password changesAccount LockoutUser
|
|
| |
| | account changesIIS reportsDHCP reportsMSI
|
|
| |
| | reports( lists the products installed
|
| Introduction
| |
| | uninstalled)Group policy changesRPC
|
| Network Security is the next wave which
| |
| | reportsDNS reportsActive directory
|
| is bound to sweep the software
| |
| | reports
|
| market. Increase in offshore projects
| |
| |
|
| and transfer of information
| |
| | The gating factor for choosing a
|
| across the wire has added fuel to the
| |
| | monitoring product is to cross verify
|
| burning urge to secure the
| |
| | whether the devices you have in your
|
| network. As the famous adage goes, the
| |
| | network are supported by the
|
| most safest computer is
| |
| | vendor you choose. There are quite a
|
| one which has been unplugged from the
| |
| | number of products which
|
| network(making it almost
| |
| | address this market, you might want to
|
| useless). Network security
| |
| | search for "firewall analyzer"
|
| is becoming more of a necessity.
| |
| | and "eventlog analyzer" in google.
|
| Interestingly the type of security
| |
| |
|
| required across different enterprises
| |
| |
|
| depends on the nature of its
| |
| | "Network Security" -Compliance
|
| business. Offlate some laws & acts have
| |
| |
|
| been defined to
| |
| | Most of the industries such as health
|
| identify security breaches, which is a
| |
| | care and financial
|
| very good move to prevent
| |
| | institutions are mandated to be
|
| fradulent use/access of information.
| |
| | compliant with HIPAA and SOX acts.
|
| There are two types of softwares
| |
| | These acts enforce stringent rules in
|
| for Network security, one which prevents
| |
| | all aspects of the enterprise
|
| it and one which does the
| |
| | including the physical access of
|
| forensic analysis. The main focus of
| |
| | information. (This section
|
| this article would be
| |
| | concetrates on the software requirement
|
| the forensics of network security.
| |
| | of the acts) There are quite a
|
|
| |
| | number of agencies that offer the
|
| What is Network Security?
| |
| | compliance as a service for an
|
| network security: the
| |
| | enterprise. But it all depends on
|
| protection of a computer network and its
| |
| | whether you want to handle compliance
|
| services from unauthorized
| |
| | yourself or employ a third party vendor
|
| modification, destruction, or
| |
| | to ensure compliance to the
|
| disclosure
| |
| | acts.
|
|
| |
| | HIPAA Compliance:
|
| Network security is a self-contradicting
| |
| | HIPAA defines the Security Standards for
|
| philosophy where you need to
| |
| | monitoring and auditing system
|
| give absolute access and at the same
| |
| | activity. HIPAA regulations mandate
|
| time provide absolute security.
| |
| | analysis of all logs,
|
| Any enterprise needs to secure itself
| |
| | including OS
|
| from two different access of
| |
| | and application logs including both
|
| information/transaction for that
| |
| | perimeter devices, such as IDSs, as
|
| matter(ex:ftp,http etc.), internal
| |
| | well as insider activity. Here are some
|
| access and external access. Securing the
| |
| | of the important reports that
|
| access of information or
| |
| | need to be in place:
|
| resources from the external world(WWW)
| |
| | User Logon report: HIPAA requirements
|
| is quite a task to master, that
| |
| | (164.308 (a)(5) -
|
| is where the firewalls pitch in. The
| |
| | log-in/log-out monitoring) clearly state
|
| firewalls act as gatekeepers who
| |
| | that user accesses to the
|
| seggregate the intrusive and
| |
| | system be recorded and monitored for
|
| non-intrusive requests and allow access.
| |
| | possible abuse. Remember, this
|
| Configuring & maintaining a firewall is
| |
| | intent is not just to catch hackers but
|
| by itself a task which
| |
| | also to document the accesses
|
| needs experience and knowledge. There
| |
| | to medical details by legitimate users.
|
| are no hard and fast rules
| |
| | In most cases, the very fact
|
| to instruct the firewalls, it depends on
| |
| | that the access is recorded is deterrent
|
| where the firewall is
| |
| | enough for malicious activity,
|
| installed and how the enterprise intends
| |
| | much like the presence of a surveillance
|
| to provide access to
| |
| | camera in a parking lot.User Logoff
|
| information/resources. So, the
| |
| | report: HIPAA requirements clearly state
|
| effectivity of any firewall depends on
| |
| | that user
|
| how well or how bad you configure it.
| |
| | accesses to the system be recorded and
|
| Please be informed many firewalls
| |
| | monitored for possible abuse.
|
| come with pre-configured rules, which
| |
| | Remember, this intent is not just to
|
| intend to make the job of
| |
| | catch hackers but also to document
|
| securing the information access from
| |
| | the accesses to medical details by
|
| external sources. In short
| |
| | legitimate users. In most cases, the
|
| firewall gives you information about
| |
| | very fact that the access is recorded is
|
| attacks happenning from the
| |
| | deterrent enough for malicious
|
| external world.
| |
| | activity, much like the presence of a
|
|
| |
| | surveillance camera in a parking
|
| The toughest job is to secure
| |
| | lot.Logon Failure report: The security
|
| information from the internal sources.
| |
| | logon feature includes logging
|
| More than securing it, managers need to
| |
| | all unsuccessful login attempts. The
|
| track the information flow, to
| |
| | user name, date and time are
|
| identify possible casuatives. The
| |
| | included in this report.Audit Logs
|
| tracking of information flow will
| |
| | access report: HIPAA requirements
|
| come in handy in case of legal
| |
| | (164.308 (a)(3) -
|
| situations. Because what seemingly to be
| |
| | review and audit access logs) calls for
|
| a sharing of information could be held
| |
| | procedures to regularly review
|
| against you in the court of
| |
| | records of information system activity
|
| law. To enforce this, acts such as
| |
| | such as audit logs.Security Log Archiving
|
| HIPAA, GLBA, SOX have been
| |
| | Utility:Periodically, the system
|
| putforth, to ensure that the scam(s)
| |
| | administrator will be able to back up
|
| like that of "Enron" does
| |
| | encrypted copies of the log data
|
| not happen. In short the tracking of
| |
| | and restart the logs.
|
| information and audit gives you
| |
| |
|
| information abouot security breaches and
| |
| |
|
| possible internal attacks.
| |
| | SOX Compliance:
|
|
| |
| | Sarbanes-Oxlet defines the
|
| There are a variety of network security
| |
| | collection,retention and review of audit
|
| attacks/ breaches:
| |
| | trail log data from all sources under
|
| Denial of ServiceVirus
| |
| | section 404's IT process
|
| attacksUnauthorized AccessConfidentiality
| |
| | controls. These logs form the basis of
|
| breachesDestruction of informationData
| |
| | the internal controls that
|
| manipulation
| |
| | provide corporations with the assurance
|
|
| |
| | that financial and business
|
|
| |
| | information is factual and accurate.
|
| Interestingly , all these information
| |
| | Here are some of the important
|
| are available across the
| |
| | reports to look for:
|
| enterprise in the form of log files.
| |
| | User Logon report:SOX requirements (Sec
|
| But to read it through
| |
| | 302 (a)(4)(C) and (D) -
|
| and making sense out of it, will take a
| |
| | log-in/log-out monitoring) clearly state
|
| life time. That is where the
| |
| | that user accesses to the
|
| "Network Security" monitoring also known
| |
| | system be recorded and monitored for
|
| as "Log Monitoring" softwares
| |
| | possible abuse. Remember, this
|
| pitch in. They do a beautiful
| |
| | intent is not just to catch hackers but
|
| job of making sense out of the
| |
| | also to document the accesses
|
| information spread across various
| |
| | to medical details by legitimate users.
|
| locations and offer the system
| |
| | In most cases, the very fact
|
| administrators a holistic view of what
| |
| | that the access is recorded is deterrent
|
| is happening in their network, in terms
| |
| | enough for malicious activity,
|
| of Network Security. In short they
| |
| | much like the presence of a surveillance
|
| collect,collate,analyze & produce
| |
| | camera in a parking lot.User Logoff
|
| reports which help the
| |
| | report:SOX requirements (Sec 302
|
| system administrator to keep tabs on
| |
| | (a)(4)(C) and (D)
|
| Network Security.
| |
| | clearly state that user accesses to the
|
|
| |
| | system be recorded and
|
|
| |
| | monitored for possible abuse. Remember,
|
| "Network Security" -Monitoring
| |
| | this intent is not just to
|
|
| |
| | catch hackers but also to document the
|
| No matter how fine your defense systems
| |
| | accesses to medical details by
|
| are, you need to have someone
| |
| | legitimate users. In most cases, the
|
| to make sense out of the huge amount of
| |
| | very fact that the access is
|
| data churned out of a edge
| |
| | recorded is deterrent enough for
|
| device like firewall and the system
| |
| | malicious activity, much like the
|
| logs. The typical enterprise logs
| |
| | presence of a surveillance camera in a
|
| about 2-3GB/day depending upon the
| |
| | parking lot.Logon Failure reportThe
|
| enterprise the size might vary. The
| |
| | security logon feature includes logging
|
| main goal of the forensic software is to
| |
| | all unsuccessful login attempts. The
|
| mine through the vast amount
| |
| | user name, date and time are
|
| of information and pull out events that
| |
| | included in this report.Audit Logs
|
| need attention. The
| |
| | access report:SOX requirements (Sec 302
|
| "Network security" softwares play a
| |
| | (a)(4)(C) and
|
| major role in identifying the
| |
| | (D) - review and audit access logs)
|
| causatives and security breaches that
| |
| | calls for procedures to regularly
|
| are happenning in the
| |
| | review records of information system
|
| enterprise.
| |
| | activity such as audit logs.Security Log
|
|
| |
| | Archiving Utility:Periodically, the
|
| Some of the major areas that needed to
| |
| | system
|
| be addressed by any network
| |
| | administrator will be able to back up
|
| security product is to provide a
| |
| | encrypted copies of the log data
|
| collective virus attacks across
| |
| | and restart the logs.Track Account
|
| different edge devices in the network.
| |
| | management changes:Significant changes in
|
| What this offers for an
| |
| | the
|
| enterprise is a holistic view, of the
| |
| | internal controls sec 302 (a)(6).
|
| attacks happening across the
| |
| | Changes in the security configuration
|
| enterprise. It offers a detailed
| |
| | settings such as adding or removing a
|
| overview of the bandwidth
| |
| | user account to a admistrative
|
| usage, it should also provide user based
| |
| | group. These changes can be tracked by
|
| access reports. The
| |
| | analyzing event logs.Track Audit policy
|
| product has to highlight sescurity
| |
| | changes:Internal controls sec 302 (a)(5)
|
| breaches and misuse of internet
| |
| | by
|
| access, this will enable the
| |
| | tracking the event logs
|
| administrator to take the necessary
| |
| | for any changes in the security audit
|
| steps. The edge devices monitoring
| |
| | policy.Track individual user
|
| product has to provide other
| |
| | actions:Internal controls sec 302 (a)(5)
|
| stuffs like Traffic trends,insight into
| |
| | by
|
| capacity planning and Live
| |
| | auditing user activity.Track application
|
| traffic monitoring, which will help the
| |
| | access:Internal controls sec 302 (a)(5)
|
| administrator to find causes
| |
| | by
|
| for network congestion.
| |
| | tracking application
|
|
| |
| | process.Track directory / file
|
| The internal monitoring product has to
| |
| | access:Internal controls sec 302 (a)(5)
|
| offer the audit information of
| |
| | for any access violation.
|
| users, system security breaches and
| |
| |
|
| activity audit trails (ex: remote
| |
| | GLBA Compliance:
|
| access) As most of the administrators
| |
| | The Financial Services Modernization Act
|
| are ignorant of the requirements
| |
| | (FMA99) was signed into law in
|
| for the
| |
| | January 1999 (PL 106-102). Commonly
|
| compliance acts, it is better to cross
| |
| | referred to as the
|
| reference which acts apply to
| |
| | Gramm-Leach-Bliley Act or GLBA, Title V
|
| their enterprise and ensure that the
| |
| | of the Act governs the steps
|
| product supports reporting for the
| |
| | that financial institutions and
|
| compliance acts(please refer here
| |
| | financial service companies must
|
| for details on compliance)
| |
| | undertake to ensure the security and
|
|
| |
| | confidentiality of customer
|
| In altoghether they will have to
| |
| | information. The Act asserts that
|
| support archiving, scheduling of
| |
| | financial services companies
|
| reports and a comprehensive list of
| |
| | routinely collect Non-Public Personal
|
| reports. please follow the next
| |
| | Information (NPI) from
|
| section for more details.
| |
| | individuals, and must notify those
|
|
| |
| | individuals when sharing information
|
|
| |
| | outside of the company (or affiliate
|
| "Network Security" -Forensics
| |
| | structure) and, in some cases,
|
|
| |
| | when using such information in
|
| The most important features you need
| |
| | situations not related to the
|
| to
| |
| | furtherance of a specific financial
|
| lookout,when you short list a network
| |
| | transaction.
|
| security forensic product is the
| |
| | User Logon report:GLBA Compliance
|
| ability
| |
| | requirements clearly state that
|
| to archive the raw records. This is a
| |
| | user accesses to the system be recorded
|
| major factor when it comes to
| |
| | and monitored for possible
|
| acts and laws. So in the court of law,
| |
| | abuse. Remember, this intent is not just
|
| the original record has to be
| |
| | to catch hackers but also to
|
| produced as proof and not the custom
| |
| | document the accesses to medical details
|
| format of the vendor. The
| |
| | by legitimate users. In most
|
| next one to lookout for is the ability
| |
| | cases, the very fact that the access is
|
| to create alerts, i.e the
| |
| | recorded is deterrent enough
|
| ability to notify whenever some criteria
| |
| | for malicious activity, much like the
|
| happens ex: when 3
| |
| | presence of a surveillance camera
|
| unsuccessfull login attempts mail me
| |
| | in a parking lot.User Logoff report:GLBA
|
| kind of stuff, or better still if
| |
| | requirements clearly state that user
|
| there is a virus attack for from the
| |
| | accesses to the system be recorded and
|
| same host more than once, notify
| |
| | monitored for possible abuse.
|
| me etc. This will reduce the lot of
| |
| | Remember, this intent is not just to
|
| manual intervention needed in
| |
| | catch hackers but also to document
|
| keeping the network secure. Moreover
| |
| | the accesses to medical details by
|
| the ability to schedule
| |
| | legitimate users. In most cases, the
|
| reports is a big plus. You don't have to
| |
| | very fact that the access is recorded is
|
| check the reports daily. Once
| |
| | deterrent enough for malicious
|
| you have done your ground work as to
| |
| | activity, much like the presence of a
|
| configure some basic alerts and
| |
| | surveillance camera in a parking
|
| some scheduled reports. It should be a
| |
| | lot.Logon Failure report:The security
|
| cakewalk from then on. All
| |
| | logon feature includes logging
|
| you need to do is check out the
| |
| | all unsuccessful login attempts. The
|
| information(alerts/reports) you get in
| |
| | user name, date and time are
|
| your inbox. It is recommended that you
| |
| | included in this report.Audit Logs
|
| configure reports on a weekly
| |
| | access report:GLAB requirements (review
|
| basis. So that it is never too late to
| |
| | and audit
|
| react to a potential threat.
| |
| | access logs) calls for procedures to
|
| And finally a comprehensive list of
| |
| | regularly review records of
|
| reports is a vital feature to
| |
| | information system activity such as
|
| lookout for. Here is a list of reports
| |
| | audit logs.Security Log Archiving
|
| that might come in handy
| |
| | Utility:Periodically, the system
|
| for any enterprise:
| |
| | administrator will be able to back up
|
|
| |
| | encrypted copies of the log data
|
| Reports to expect from edge devices such
| |
| | and restart the logs.
|
| as a firewall:
| |
| |
|
| Live monitoring Security reportsVirus
| |
| |
|
| reportsAttack reportsTraffic
| |
| | Conclusion
|
| reportsProtocol usage reportsWeb usage
| |
| | "Network Security" has to be done both
|
| reportsMail usage reportsFTP usage
| |
| | internally as well as
|
| reportsTelnet usage reportsVPN
| |
| | externally, the job of nailing the
|
| reportsInbound/Outbound traffic
| |
| | problem is a huge task
|
| reportsIntranet reportsInternet
| |
| | which needs expertise and mostly help
|
| reportsTrend reports
| |
| | from softwares such as EventLog
|
|
| |
| | Analyzers(compliance and internal
|
|
| |
| | monitoring of internal machines) and
|
| Reports to expect from compliance and
| |
| | Firewall Analyzer(virus,attacks
|
| internal monitoring:
| |
| | and traffic monitoring of edge devices).
|