Network Security - The Road Ahead

Network Security - The road ahead


Introduction
Network Security is the next wave which is bound to sweep the software market. Increase in offshore projects and transfer of information across the wire has added fuel to the burning urge to secure the network. As the famous adage goes, the most safest computer is one which has been unplugged from the network(making it almost useless). Network security is becoming more of a necessity. Interestingly the type of security required across different enterprises depends on the nature of its business. Offlate some laws & acts have been defined to identify security breaches, which is a very good move to prevent fradulent use/access of information. There are two types of softwares for Network security, one which prevents it and one which does the forensic analysis. The main focus of this article would be the forensics of network security.

What is Network Security?
network security: the protection of a computer network and its services from unauthorized modification, destruction, or disclosure

Network security is a self-contradicting philosophy where you need to give absolute access and at the same time provide absolute security. Any enterprise needs to secure itself from two different access of information/transaction for that matter(ex:ftp,http etc.), internal access and external access. Securing the access of information or resources from the external world(WWW) is quite a task to master, that is where the firewalls pitch in. The firewalls act as gatekeepers who seggregate the intrusive and non-intrusive requests and allow access. Configuring & maintaining a firewall is by itself a task which needs experience and knowledge. There are no hard and fast rules to instruct the firewalls, it depends on where the firewall is installed and how the enterprise intends to provide access to information/resources. So, the effectivity of any firewall depends on how well or how bad you configure it. Please be informed many firewalls come with pre-configured rules, which intend to make the job of securing the information access from external sources. In short firewall gives you information about attacks happenning from the external world.

The toughest job is to secure information from the internal sources. More than securing it, managers need to track the information flow, to identify possible casuatives. The tracking of information flow will come in handy in case of legal situations. Because what seemingly to be a sharing of information could be held against you in the court of law. To enforce this, acts such as HIPAA, GLBA, SOX have been putforth, to ensure that the scam(s) like that of "Enron" does not happen. In short the tracking of information and audit gives you information abouot security breaches and possible internal attacks.

There are a variety of network security attacks/ breaches:

Interestingly , all these information are available across the enterprise in the form of log files. But to read it through and making sense out of it, will take a life time. That is where the "Network Security" monitoring also known as "Log Monitoring" softwares pitch in. They do a beautiful job of making sense out of the information spread across various locations and offer the system administrators a holistic view of what is happening in their network, in terms of Network Security. In short they collect,collate,analyze & produce reports which help the system administrator to keep tabs on Network Security.


"Network Security" -Monitoring

No matter how fine your defense systems are, you need to have someone to make sense out of the huge amount of data churned out of a edge device like firewall and the system logs. The typical enterprise logs about 2-3GB/day depending upon the enterprise the size might vary. The main goal of the forensic software is to mine through the vast amount of information and pull out events that need attention. The "Network security" softwares play a major role in identifying the causatives and security breaches that are happenning in the enterprise.

Some of the major areas that needed to be addressed by any network security product is to provide a collective virus attacks across different edge devices in the network. What this offers for an enterprise is a holistic view, of the attacks happening across the enterprise. It offers a detailed overview of the bandwidth usage, it should also provide user based access reports. The product has to highlight sescurity breaches and misuse of internet access, this will enable the administrator to take the necessary steps. The edge devices monitoring product has to provide other stuffs like Traffic trends,insight into capacity planning and Live traffic monitoring, which will help the administrator to find causes for network congestion.

The internal monitoring product has to offer the audit information of users, system security breaches and activity audit trails (ex: remote access) As most of the administrators are ignorant of the requirements for the compliance acts, it is better to cross reference which acts apply to their enterprise and ensure that the product supports reporting for the compliance acts(please refer

href="#Compliance">here for details on compliance)

In altoghether they will have to support archiving, scheduling of reports and a comprehensive list of reports. please follow the next section for more details.


"Network Security" -Forensics

 The most important features you need to lookout,when you short list a network security forensic product is the ability to archive the raw records. This is a major factor when it comes to acts and laws. So in the court of law, the original record has to be produced as proof and not the custom format of the vendor. The next one to lookout for is the ability to create alerts, i.e the ability to notify whenever some criteria happens ex: when 3 unsuccessfull login attempts mail me kind of stuff, or better still if there is a virus attack for from the same host more than once, notify me etc. This will reduce the lot of manual intervention needed in keeping the network secure. Moreover the ability to schedule reports is a big plus. You don't have to check the reports daily. Once you have done your ground work as to configure some basic alerts and some scheduled reports. It should be a cakewalk from then on. All you need to do is check out the information(alerts/reports) you get in your inbox. It is recommended that you configure reports on a weekly basis. So that it is never too late to react to a potential threat. And finally a comprehensive list of reports is a vital feature to lookout for. Here is a list of reports that might come in handy for any enterprise:

Reports to expect from edge devices such as a firewall:

  1. Live monitoring

  2. Security reports

  3. Virus reports

  4. Attack reports

  5. Traffic reports

  6. Protocol usage reports

  7. Web usage reports

  8. Mail usage reports

  9. FTP usage reports

  10. Telnet usage reports

  11. VPN reports

  12. Inbound/Outbound traffic reports

  13. Intranet reports

  14. Internet reports

  15. Trend reports

Reports to expect from compliance and internal monitoring: ( see compliance sub-heading for reports on compliance)

  1. User Audit reports (successfull/unsuccessful login attempts)

  2. Audit policy changes (ex: change in privileges etc)

  3. Password changes

  4. Account Lockout

  5. User account changes

  6. IIS reports

  7. DHCP reports

  8. MSI reports( lists the products installed/uninstalled)

  9. Group policy changes

  10. RPC reports

  11. DNS reports

  12. Active directory reports
The gating factor for choosing a monitoring product is to cross verify whether the devices you have in your network are supported by the vendor you choose. There are quite a number of products which address this market, you might want to search for "firewall analyzer" and "eventlog analyzer" in google.


"Network Security" -Compliance

Most of the industries such as health care and financial institutions are mandated to be compliant with HIPAA and SOX acts. These acts enforce stringent rules in all aspects of the enterprise including the physical access of information. (This section concetrates on the software requirement of the acts) There are quite a number of agencies that offer the compliance as a service for an enterprise. But it all depends on whether you want to handle compliance yourself or employ a third party vendor to ensure compliance to the acts.


HIPAA Compliance:
HIPAA defines the Security Standards for monitoring and auditing system activity. HIPAA regulations mandate analysis of all logs, including OS and application logs including both perimeter devices, such as IDSs, as well as insider activity. Here are some of the important reports that need to be in place:

  1. User Logon report: HIPAA requirements (164.308 (a)(5) - log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

  2. User Logoff report: HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

  3. Logon Failure report: The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

  4. Audit Logs access report: HIPAA requirements (164.308 (a)(3) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

  5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

SOX Compliance:
Sarbanes-Oxlet defines the collection,retention and review of audit trail log data from all sources under section 404's IT process controls. These logs form the basis of the internal controls that provide corporations with the assurance that financial and business information is factual and accurate. Here are some of the important reports to look for:

  1. User Logon report:SOX requirements (Sec 302 (a)(4)(C) and (D) - log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

  2. User Logoff report:SOX requirements (Sec 302 (a)(4)(C) and (D) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

  3. Logon Failure reportThe security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

  4. Audit Logs access report:SOX requirements (Sec 302 (a)(4)(C) and (D) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

  5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

  6. Track Account management changes:Significant changes in the internal controls sec 302 (a)(6). Changes in the security configuration settings such as adding or removing a user account to a admistrative group. These changes can be tracked by analyzing event logs.

  7. Track Audit policy changes:Internal controls sec 302 (a)(5) by tracking the event logs for any changes in the security audit policy.

  8. Track individual user actions:Internal controls sec 302 (a)(5) by auditing user activity.

  9. Track application access:Internal controls sec 302 (a)(5) by tracking application process.

  10. Track directory / file access:Internal controls sec 302 (a)(5) for any access violation.
GLBA Compliance:
The Financial Services Modernization Act (FMA99) was signed into law in January 1999 (PL 106-102). Commonly referred to as the Gramm-Leach-Bliley Act or GLBA, Title V of the Act governs the steps that financial institutions and financial service companies must undertake to ensure the security and confidentiality of customer information. The Act asserts that financial services companies routinely collect Non-Public Personal Information (NPI) from individuals, and must notify those individuals when sharing information outside of the company (or affiliate structure) and, in some cases, when using such information in situations not related to the furtherance of a specific financial transaction.

  1. User Logon report:GLBA Compliance requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

  2. User Logoff report:GLBA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

  3. Logon Failure report:The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

  4. Audit Logs access report:GLAB requirements (review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

  5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

Conclusion
"Network Security" has to be done both internally as well as externally, the job of nailing the problem is a huge task which needs expertise and mostly help from softwares such as EventLog Analyzers(compliance and internal monitoring of internal machines) and Firewall Analyzer(virus,attacks and traffic monitoring of edge devices).

Bibliography
http://www.interhack.net/pubs/network-security/
http://www.hipaa.org/
http://www.sarbanes-oxley.com/
http://www.senate.gov/~banking/conf/

About the Author
The author is the product manager of a suite of network security products Firewall Analyzer and EventLog Analyzer. The author is part of the software companyAdventNet

-Ramesh-