Network forensics tighten security
- By Maggie Biggs
- Jul 07, 2003
"The best offense is a good defense" goes the adage. That philosophy applies as well to agencies wanting to be proactive in managing security as it does to football teams.
Managed security strategies don't end with putting security products in place and walking away. Every agency should frequently update its security policy and strategy document. The document needs to spell out the agency's security architecture, such as firewalls and antivirus programs, the maintenance of application and operating system security, the list of acceptable user activities, and so on.
In short, managing security is an ongoing process — one that requires the information technology staff to continuously monitor and analyze potential security threats.
Because agencies face security threats from both internal and external sources, a security management tool that enables agency IT staff to monitor and manage security events is a must-have.
In this evaluation, we examined three security management solutions — Vericept Corp.'s Vericept Intelligent Early Warning (VIEW) 5.0, netForensics Inc.'s netForensics 3.0 and Niksun Inc.'s NetDetector 3.0. We tested each by monitoring and analyzing internal and external traffic and data for potential security events or unacceptable-use incidents. We found that all three solutions provided in-depth information on events that can tighten agency security strategies and deflect future security events.
The only downside is that these solutions can be pricey. Where budget constraints exist, agencies may want to consider other, less costly alternatives, including open-source solutions. But each product offers features that justify its cost.
Although these solutions offer comparable core capabilities, we gave our top score to Vericept's VIEW because it is by far the easiest to set up, and its capabilities for capturing, analyzing and playing back session data are first rate. What's more, this product also offers the greatest flexibility in terms of pricing.
However, pricing, installation and ease of use may not be the only criteria agency officials consider when examining security management offerings. For example, the netForensics solution provides a graphical device view for distributed enterprises and risk and threat-level analysis tools. Some agencies may value such features because they manage highly distributed infrastructures or extremely sensitive operations.
Likewise, if agencies seek long-term storage of security events for trend analysis and the capability to analyze events across an array of network interface types, then NetDetector might be the best solution. The application can store more than 1 terabyte of security events on disk; a storage-area network solution can extend its capacity even farther. In addition, users can easily plug NetDetector into a wide variety of networking infrastructures, including Gigabit Ethernet, and can insert it inside or outside firewalls and internal networks.
Officials will need to define the most important security criteria for agencies' infrastructures so they can choose the best security management solution. Available solutions should be weighed against those requirements. We recommend evaluating any of these three solutions as a viable strategy for bolstering agency security.
Vericept VIEW 5.0
Last year, we examined Vericept's V1100 hardware-based appliance and found that it did a good job of trapping and storing unacceptable activity for playback. In this comparison, we evaluated Vericept's VIEW 5.0 — a collection of software-based applications agencies can use to proactively manage security.
Although the product includes a number of components, we examined four modules for agency use. VIEW for Network Security checks content for hacker-related activity, while VIEW for Privacy Protection captures and reports on communications, such as instant messaging sessions, that could jeopardize sensitive information.
VIEW for Information Protection captures application traffic in which sensitive information might be shared without authorization. VIEW for Network Abuse Management enables network administrators to keep tabs on user activity and capture session data when that activity falls outside acceptable use, such as online shopping during business hours.
We found the Vericept product easy to set up on a Red Hat Inc. Linux system, and we had all four modules operable in about 45 minutes. The Vericept installation and configuration process was well-documented, and even administrators new to Red Hat Linux and Vericept will easily set up the solution.
We were able to quickly access the Web-based administrative tools using both the Mozilla Organization's Mozilla and Microsoft Corp.'s Internet Explorer. With the browser, we could perform the initial setup and configuration tasks and were pleased to see that VIEW enforces an administrator password change on initial setup.
We then defined eBoundaries — areas of specific traffic and activity. In these spots, we chose to trap and log suspicious FTP activity, peer-to-peer file sharing and unsuitable content types. Administrators can also trap and log many other types of activity and traffic, including Web-based e-mail, instant messaging and inappropriate HTTP responses.
No matter what type of activity we simulated, VIEW recognized our attempts and stored the session data for playback. We accessed VIEW's reporting tools via a Web browser and found that we could view the current logs in detail or summary. We then queried the logs for all FTP-related activity and could drill down to the session level to review what had occurred.
Vericept's VIEW modules don't block traffic or network activity, but they do provide an easy mechanism for administrators to quickly identify inappropriate activity and take the necessary countermeasures. The Vericept solution was the easiest to implement and maintain of the three we evaluated.
The netForensics 3.0 solution is designed to be incorporated into an existing distributed network infrastructure. This security information management solution rides on top of an Oracle Corp. database.
NetForensics agents are installed across a number of platforms to collect security event information from a variety of sources, including intrusion- detection and antivirus tools. The solution reformats the events into Extensible Markup Language, which is then analyzed by the product's engine. Administrators work with the analyzed data using Sun Microsystems Inc.'s Java-based netForensics Security Information Management (SIM) Desktop.
We began our evaluation by installing the included Oracle database, which lengthened the installation process compared to the other solutions we evaluated. Next, we installed the netForensics server-side components on a Red Hat Linux system, including the company's engine needed to analyze security event data. The netForensics setup process is well-documented though lengthy, but we did not have any difficulty in getting all the elements up and running.
Our next step was to install agents so we could gather event data. The software incorporates many agents, including one that supports Check Point Software Technologies Ltd.'s firewall. For our tests, we chose to install the Snort Agent, the Unix OS File Agent and the Windows Event Agent.
Once we had loaded and configured all the components, we accessed SIM Desktop to examine the monitoring and reporting capabilities. We easily launched SIM Desktop by accessing the system that contained our Web server using a Web browser.
Java Web Start powers SIM Desktop, which provides a security console reminiscent of a dashboard. We found that this metaphor simplified access to netForensics security management tools and makes it easier for security administrators to locate and deal with events.
Once inside SIM Desktop, we found several quick-launch icons on the left side of the screen plus a taskbar at the bottom of the screen. Using the quick-launch icon, we were able to easily query data we had collected from our agents. We also found netForensics' device map impressive. Administrators can use it to define and maintain geographical views of business units and devices throughout the enterprise.
The software also supplies administrators with tools to determine the risk or threat level of various network and system activities. Using those tools, we were able to detect some risk on the Microsoft Windows servers on our network and take proactive steps to mitigate it.
Administrators can view netForensics data in real time, if desired. In addition, comprehensive reporting is available via the Security Portal Server. We were able to log in and generate both summary and detail reports of various types of activity in several formats, including HTML and PDF.
The netForensics solution is comprehensive and sophisticated in its approach to security management. About the only improvement we could suggest is adding even more agents to keep tabs on other enterprise assets. Given the solution's flexibility, incorporating additional agents should not prove difficult.
Niksun's NetDetector 3.0
NetDetector is a security management appliance that performs nonintrusive monitoring. It is designed to be used in conjunction with network security tools such as firewalls and intrusion-detection systems. Agencies can record and analyze data to detect and re-create unauthorized activity. NetDetector captures events in near-real time, alerts administrators so they can take action and stores events so they can be re-created.
Several software components run on NetDetector. One is the Traffic Recorder, which collects data from network interfaces and writes it to disk. The Query Processor analyzes data for near-real-time alerting or for later access by security administrators. The Alerter tells administrators when it detects abnormal activity. And finally, Web GUI enables administrators to interact with the appliance to configure the system, display alerts and query collected data.
The solution can be installed in a variety of network locations. Agencies can use it inside or outside a firewall or on an internal network. For our tests, we evaluated its capabilities with the unit placed in front of the firewall and then did a second round of tests with it on the internal network. Placement largely depends on whether your agency's objective is to monitor public-facing access points or internal user activity.
Once configured for your network and plugged in, NetDetector is easily accessible via Web browsers using either HTTP or HTTPS access through Secure Shell (SSH), unsecured Telnet or a terminal connection. During our tests, we tried both SSH and HTTPS connections and found the appliance easy to access and use.
Using Web GUI, we were able to easily configure the unit, set alarms and manage logging attributes. Administrators will have no trouble using and learning the NetDetector Web GUI interface because it is well-constructed and fully documented.
We particularly liked the solution's reporting features. We generated several types of traffic, including FTP and Telnet sessions. NetDetector picked up all traffic we generated and all traffic in front of the firewall.
In both cases, we were able to view graphical and tabular reports of the activity. In particular, we could drill down to the report data and then re-create session activity.
Administrators can store data on internal NetDetector storage, which can be scaled to 1.46 terabytes. Alternatively, the software can be used in conjunction with a storage-area network for unlimited storage. The latter may be necessary at agencies that must closely track security trends.
NetDetector supports a number of interfaces, including 10/100 Ethernet, Gigabit Ethernet, T1, V.35, OC-3 Sonet and more. This flexibility — together with its easy-to-understand interfaces and detailed reporting — makes NetDetector an easy fit in a variety of agency network infrastructures.
Biggs is a software engineer and freelance writer based in Northern California. She has more than 15 years of business and IT experience.