Review: Network analyzer churns out useful security reports
eIQnetwork's device makes sense of vast amounts of system log data
- By Earl Greer, Vincil Bishop
- Oct 10, 2005
It isn't enough anymore to keep computer networks secure. Administrators must now produce reports proving that their networks are secure enough to comply with the Federal Information Security Management Act.
Fortunately, log files already contain much of the data administrators need for security compliance audits. The challenge is formatting that data into useful reports.
Network Security Analyzer Version 4.2 from eIQnetworks brings together large amounts of syslog data that would otherwise make no sense to a human. Syslog is a protocol that records logging information. It has become a standard for network devices.
Once we were sure that all systems involved were processing syslog transactions, we moved on to the fun part of testing Network Security Analyzer: producing malicious events using our toolbox of quasi-hacker utilities. We started with Nmap, a time-tested utility.
First, we performed three reconnaissance-type scans designed to generate quick alerts from our Snort intrusion-detection system. The first was a ping scan simulating a hacker discovering our network's layout. Instantly, the Network Security Analyzer reported an attempted information leak and gave us the IP addresses of both our target hosts a Red Hat Linux Web server and a Linksys broadband router.
Then we attempted port scans against each target host to determine what operating systems they used and what services were running. But the analyzer could not report that information because it can process reports only on data sent to syslog by the device being examined.
To keep things in perspective, the analyzer goes beyond packet-level details about network occurrences and correlates events that would otherwise be missed because they occur across network devices of disparate types and locations. Although the analyzer can give an impressive level of detail, provided that the details are reported to the syslog server, it does not replace the reporting functions of your firewall or intrusion-detection system.
What we like
We like the Java-based Web interface. Unlike many Web-based products, Network Security Analyzer boasts a responsive, lightweight user interface.
We applaud the tiered user access built into the product. The three tiers of access Report User, Normal User and Administrator ensure that the product can scale to meet even the largest enterprises' needs.
Another plus is that the management interface will integrate with its own internal user name/password database, Microsoft Windows security or a Lightweight Directory Access Protocol database.
We would like to see a way to manually create syslog decodes utilities for translating the output of devices into usable data for products not currently supported. Such decodes could then be shared among customers on the company's Web site.
Also, it should be possible to allow for the use of only a single
analyzer system instead of relying on a distributed model to break up administration duties and network load. That would centralize management and save customers money.
Greer is a network security consultant. Bishop operates Peoples Information.com, an Internet consulting firm. They can be reached at email@example.com.