Review: Network analyzer churns out useful security reports

eIQnetwork's device makes sense of vast amounts of system log data

It isn't enough anymore to keep computer networks secure. Administrators must now produce reports proving that their networks are secure enough to comply with the Federal Information Security Management Act.

Fortunately, log files already contain much of the data administrators need for security compliance audits. The challenge is formatting that data into useful reports.

Network Security Analyzer Version 4.2 from eIQnetworks brings together large amounts of syslog data that would otherwise make no sense to a human. Syslog is a protocol that records logging information. It has become a standard for network devices.

Once we were sure that all systems involved were processing syslog transactions, we moved on to the fun part of testing Network Security Analyzer: producing malicious events using our toolbox of quasi-hacker utilities. We started with Nmap, a time-tested utility.

First, we performed three reconnaissance-type scans designed to generate quick alerts from our Snort intrusion-detection system. The first was a ping scan simulating a hacker discovering our network's layout. Instantly, the Network Security Analyzer reported an attempted information leak and gave us the IP addresses of both our target hosts — a Red Hat Linux Web server and a Linksys broadband router.

Then we attempted port scans against each target host to determine what operating systems they used and what services were running. But the analyzer could not report that information because it can process reports only on data sent to syslog by the device being examined.

To keep things in perspective, the analyzer goes beyond packet-level details about network occurrences and correlates events that would otherwise be missed because they occur across network devices of disparate types and locations. Although the analyzer can give an impressive level of detail, provided that the details are reported to the syslog server, it does not replace the reporting functions of your firewall or intrusion-detection system.

What we like

We like the Java-based Web interface. Unlike many Web-based products, Network Security Analyzer boasts a responsive, lightweight user interface.

We applaud the tiered user access built into the product. The three tiers of access — Report User, Normal User and Administrator — ensure that the product can scale to meet even the largest enterprises' needs.

Another plus is that the management interface will integrate with its own internal user name/password database, Microsoft Windows security or a Lightweight Directory Access Protocol database.

Recommended improvements

We would like to see a way to manually create syslog decodes — utilities for translating the output of devices into usable data — for products not currently supported. Such decodes could then be shared among customers on the company's Web site.

Also, it should be possible to allow for the use of only a single analyzer system instead of relying on a distributed model to break up administration duties and network load. That would centralize management and save customers money.

Greer is a network security consultant. Bishop operates Peoples Information.com, an Internet consulting firm. They can be reached at egreer@thecourageequation.com.

Network Security Analyzer 4.2

eIQnetworks
(877) 564-7787
www.eiqnetworks.com

Features: ****

Performance: ****

Usability: ****

Platform support: ****

Price: ****

Price: The product starts at $895 per networked device.

Pros: Network Security Analyzer finds information on suspicious network events that would otherwise go unnoticed. It generates automated reports useful for security compliance audits. The analyzer is also easy to use.

Cons: It could use a feature to manually create decodes for network devices not currently supported.

Platforms: Network Security Analyzer can be used with any TCP network, but it requires a Web server. It is compatible with Microsoft Internet Information Server and the Apache Software Foundation's Web servers.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group