Page19

Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

Chapter2 ManagingSecurity:SystemsandNetworkMonitoring

Thesetoolsallowforcentralizedanalysis andcontrolofnetworksystems.

TechnologyOverview
TheRomanEmpirehadasecuritymanagementproblem.Aspowerfulasitwas,itdidn'thavetheresourcestomonitorandenforcesecuritythroughouttheentire Europeancontinent.Invadersattackedtheweakpointsandslowlyworkedtheirwayinward.Asaresult,Romefell. Isyournetworkstartingtofeellikeanempire?Asyournetworkgrows,italsobecomesmuchhardertomanage.Problemsinsomeoftheleastsignificantmachinescan eventuallyturnintonetworkthreateningsituationsifthey'renotdulymanaged.Don'tunderestimatetheseriousnessordifficultyofthisresourceproblemafterall,it stumpedthemostpowerfulcivilizationinhistory. Thekeydifferencebetweenlargeempiresandlargenetworks(asfarasthisbookisconcerned)isthatmodernnetworksystemsaredesignedwithremote

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332

Page20 managementinmind.1 Thismeansthatasinglecentralstationcancontrolthousandsofnetworkdevices,workstations,andserversacrossanentireenterprise. Everythingfromsimplestatusreportstocomplexsoftwareinstallationscanbedonefromoneplace.Technicalsecuritypoliciescanbeimplementedandmonitoredwith ease.Builtinanalysissystemscancreatereportsformanagement. Centralizednetworkmonitoringsystemsusevarioustechniquestoconnecttoyourequipment.Forexample,theSimpleNetworkManagementProtocol(SNMP)is acommonlyusedsystemthatenablesnetworkdevicestoberemotelymonitored,controlled,andconfigured.It'snotstandard,butmostnetworkhardwareand operatingsystemssupportSNMP. Unfortunately,SNMPisneitherpowerfulnorsecureenoughtomanagecertaincomplexdevicessuchasroutersandfirewalls.Thesesystemsoftenhavetheirown remotecommandinterfacessothatcontrolcenterapplicationscantalkdirectlytothedevices. Softwareandservicesrunningonyournetworkalsohavetobemonitoredandmanaged.ManycontrolcenterapplicationscanmonitorcommonsoftwaresuchasWeb andemailservices.However,activelymanagingthesesystemsisamuchmorecomplextaskbecausenonstandardsoftwarehasalreadybeendominatingthis environment.It'sdifficult,vergingonimpossible,forthecreatorsofcommandcenterproductstoincorporatecompatibilitywitheachofthethousandsofnetwork applicationsonthemarket. Integratingwithmoderncommandcenterapplicationstakesanunusualmixofknowledgethatspansanumberofdistinctlydifferentfields.That'samajorreasontohire consultantstocreateinterfacesforold,nonstandard,andcustomsystems.Hiringconsultantsisnaturallymorecommonwithlarger,enterprisewidenetworks,dueto theprevalenceofincompatiblehardwareandsoftware.

Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

HowSystemsandNetworkMonitoringWork
Settingupanetworkmonitoringsystemisaninvolvedprocessthatwilltakesometimetodocorrectly.Theprocedurecanbebrokendownintothefollowingsixsteps: 1.Strategicdesign:Beforeanymonitoringhappens,someoneneedstodecidewhattomonitoranddesignasystemtomonitorit.Thisisacomplicatedstep(touched onintheintroductiontothispart),requiringacombinationofbothbusinessandtechnicalanalysis. 2.Implementation:Atthisstep,monitoringtoolsaredeployedandintegratedwithexistinghardwareandapplications.. 3.Tuning:Oneofthefirsttasksistotunetheamountofinformationgeneratedbythemonitoringtools.Thesesystemscangeneratealotof
1

Countrieswerenotbuiltforremotemanagement.Notconvinced?GotoLondonandasktoseetheGreatBritishEmpire.Theykeepitsremainsinajarsomewherenear Piccadilly,sowe'vebeentold.

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332

Page21 information,someofwhichisimportant,whereastherestisjustclutter.It'seasytomonitortoomanythingsorreporttoomanyminorproblems.Youmayormay notwanttoknoweverytimeahackerattacksyoursite,butyoucertainlywanttoknowifonehasbeensuccessful.

Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

4.Monitoring:Oncethat'sdone,alotofinformationstillexists,andsomeonehastowatchforproblemindicators.Italsowouldbenicetoseeifanytrendsare present.Arehackattemptsincreasing,andistheincreasebiggerthantheincreaseingeneralInternethacking? 5.Action:Finally,whenaproblemhappens,somebodyneedstobenotified.Thismightbetrickierthanitsounds.Whoevergetsnotifiedneedstotakeactionand solvetheproblem(orofficiallyignoreit). 6.Analysis:Atregularintervals,it'susefultodigabitdeeperintothemonitoreddata.Regularmonitoringlooksatthepresent,butproperanalysislooksatpastdata aswell.Trendandpatternanalysisofthecompletedatapicturecanhelpinanticipatingfutureproblems.Usageandfailurepatternsmighthelppinpointtheroot causeofanelusiveproblem.Itcanalsobeusefultokeeptrendreportsonissuesthatareotherwisetooinsignificanttowatch.Forexample,asignificantincrease inthefrequencyorvolumeofminoralertscouldindicatethatamajorproblemisabouttohappen.Therefore,eventhoughasystemmightbetunedtoreportonly majorproblems,itstillshouldn'tcompletelyignoretheminorones.

SecurityConsiderations
It'sdifficulttoenforcesecuritypolicies.Withoutamonitoringsystem,policybreachesandtechnologyfailurescangoundetected,butacentralizedmonitoringsystem canhelpyouensurepolicycomplianceandmakeacomplexnetworkmanageable. Byanalyzingthedatafromthemonitoringsystem,youcanfigureoutifyoursecuritypoliciesandenforcementtoolsareeffective.Theanalysisalsogivesexecutive managementthefeedbacknecessarytoadjustandrevisetheirsecurityphilosophyandpoliciesperiodically. Networkmonitoringsystemsdohaveafewcaveats.Thefirstiscompatibility.Ifyou'reusingstandardequipmentandrunningstandardsoftware,2 yourmonitoring problemsshouldbeminimal.Butifyouhavelegacyequipmentorcustomsoftwarethatyouwantmonitored,thingsbecomemuchmoredifficult.Youwillprobablyhave togetconsultantstoaddsupportfornonstandarddevices.
2

"Standard"meansuniversallyacceptedandsupported.Thesesoftwareandhardwarestandardsinclude,butarenotlimitedto,thefollowing:Sun,Oracle,Microsoft,IBM, Cisco,HP,Intel.

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332

Page22 Anothercaveatisnetworkdesign.Nocentralcommandsystemcanfixapoorlydesignednetwork.Infact,ifthedesignisreallybad,thesystemmightnotbeableto properlyoperate.

Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

Ironically,acentralmanagementsystemcanactuallyweakensecurity.Thinkaboutwhathappensifahackergetsintoyourcentralmanagementsystem.Hehas immediateandtotalcontrolofyournetwork.Insomecases,hedoesn'tevenneedaccesstothecentralsystemhejusthastoimpersonatethesystem.Althoughsome networkdevicesandservershavesecuremechanismsforperformingremoteadministration,othersdon't.Youmightwanttoconsiderdisallowingcentraladministration machinesonsystemswithweakoverallsecurity. Theseapplicationswillonlydisplaywhatthey'vebeendesignedtoobserve.Whatifthecentralsystemismissingsomethingcriticalorisnotworkingcorrectly?The bottomlineisthatsecurityrequirestheinvolvementofskilledhumanbeingsatsomelevel.You'llneedtohavesomespecialistsonstaffthatcantellwhensomething's wrong,evenwhenthesystemsaysthatalliswell. Someofthesesystemsmakeitalltooeasytodefineandimplementsitewidetechnicalsecuritypolicies.Securitysensitizedinformationtechnology(IT)staffcanbe temptedtocreatearbitrarytechnicalpoliciesthatarenotmandatedbyexistingorganizationalpolicies.Thisistheclassic"solutioninsearchofaproblem"situation.It happensbecausetheapplicationsonlyhandlesecurityasatechnicalprocess,notasabusinessorphilosophicalprocess. Faultsaside,withoutcentralcommandsystems,itwouldbeimpossibletobuildandmaintainlargenetworks.Justthemonitoringaloneiscritical.Imaginehowdifficultit wouldbeifyouhadtomanuallycheckthestatusofhundredsorthousandsofserversanddesktops.Thesetoolsalsoautomateroutinesthatotherwisetakeupmassive amountsoftime,suchasdeployingupdatedsoftware.Simplifyingbasicnetworkmanagementtasksmeansthatlessexperiencedemployeescanmonitorthenetwork effectively.ThiscansaveyourcompanymoneyinITstaffing,whichalwaysmakesmanagementhappy. Havingabird'seyeviewofyournetworkisalsoabigadvantage.Manyofthesesystemshavevisualizationtoolsthatcanshowyoua2Dor3Drepresentationof yournetworkanditsstatus.Ifapictureisworthathousandwords,thesepicturesareworthaboutamillionpagesofstatusreports.

MakingtheConnection
Cryptography:Datatravelingacrossthenetworkcanbeencryptedforaddedsecurity. Outsourcing:Networkmonitoringisfrequentlyoutsourced,whichhasmanybenefitsandissues,enoughthatitgetsitsownchapterinthenextpart. Disasterprevention:Propermonitoringcanhelpdetectminorfailuresbeforetheybecomemajorones.

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332

Page23 Proactivesecurity:Datagatheredwhilemonitoringcanmakeriskmanagementtechniquesandforensicsmucheasier.
Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

Determiningidentity:Accessattempts,successes,andfailurescanbemonitoredtodetectintrusions. Preservingprivacy:Datacanbeusedtoassembleprofilesonusers.Thismightbeabenefitoraproblem,dependingonyourorganizationalpolicies. Networkinghardware:Mostnetworkhardwareisdesignedtoprovideinformationtomonitoringsystems,eitherthroughSNMPorsomeothersystem. Firewalls/proxies:Thesedevicesarethefirstlineofdefensefromtheoutsideworldandcanhelpidentifyproblemsandabuseinsideandoutsidethenetwork. Storage:Fulldiskdrives,exceededquotas,andfilecorruptioncanbedetectedbymonitoringthelocalfilesystemsofcriticalmachinessuchasservers.Performance, dataaccessproblems,andcorruptioncanbedetectedandfixed. Detectingintrusions:Mostintrusiondetectionsystemsarebuiltaspartofalargermonitoringapplicationortheyareintegratedwithcentralmonitoringapplications. Thetwoconceptsarecloselyrelated. Expeditingrecovery:Agoodmonitoringsystemimmediatelyindicatesanyproblemthatrequiresdisasterrecovery.Thefasteraproblemisidentified,thefastera solutioncanbeexecuted.

BestPractices
Thebiggestprobleminimplementingnetworkmonitoringisdeterminingwhichcommandcentersoftwareisrightforyournetwork.Afterall,youwon'tfindthistypeof softwaresittinginashrinkwrappedboxatyourlocalcomputerstore. Thecurrentcropofnetworkmanagementsystemsfallsintothreeclasses.Infirstclass,you'llfindextraordinarilyexpensive"solutions"3 ,suchasIBM'sTivoli,HP's OpenView,andCA'sUnicenter.Inbusinessclass,you'llfindsmallervendorsandconsultants.Backincoach,you'llfindabunchofopensourcesoftwaredevelopers eatingpeanutsandhackingintotheinflightentertainmentsystem.TheyhavecreatedfreesystemscalledNagios,Ganglia,andOpenNMS. Whichwayyougodependsonthesizeofyourcompany.Ifyourcompanyishuge,withanetworkconsistingofthousandsofcomputers,you'llwanttolookatthe highendsolutions.Ifyou'reabusinessthatcanfreeuptimebutnotmoney,orifyouhaveasavvyITdepartmentwithUnixskills,theopensourcesystemsareagreat placetostart.Itcanalsobehelpfultotalktoafewconsultingfirmsthatofferproductsorservicesthatfityourneeds.Oftentherightconsultantscanimplementand manageoneoftheopensourceorlowcostsolutionsprovidedbynichevendors.
3

Bysolution,wemeantheproduct+implementationconsulting+newservers+newnetworkinghardware+yearlylicensing+permanentoperationalconsulting+technical supportcontract+hardwaremaintenancecontracts+softwareupgradecontract.

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332

Page24 Youneedtohaveaclearideaaboutwhatyou'relookingforinordertoeffectivelyevaluatetheseapplications.Otherwise,you'llneverbeabletomakesenseofthe variousmarketingmaterialsandfeaturesets.Herearesomequestionstoconsider:

Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

Whatdoyouwanttoknow?Doyouwanttoknowabouthardwareandsoftwareproblems?Doyouwanttobeabletomonitorindividualusersoraggregate usagepatterns?Doyouwanttobeabletodetectintrudersandvulnerabilities? Whatwillyoudowiththeinformation?Doyouwantthesystemtoautomaticallyfixproblems?Doyouhaveproceduresforescalatingproblemsthatneedtobe takenintoaccount? Doyouwanttobeabletoremotelydeployorconfiguresoftware?Doyouwanttocentralizethemanagementofuseraccounts? Willmorethanonepersonaccessthecontrolsystem?Willdifferentpeopleaccessingthesystemneeddifferentlevelsofaccess? Isthecommandsystemgoingtobeonthenetworkthatit'smonitoring,ordoyouneedtooperatefromaremotenetwork? Informationtravelingtomonitoringsystemsissensitive.Isitproperlyencryptedtoensuresafety? Whathappensifhackersgetcontrolofthecommandcenter?

FinalThoughts
Ifyouareconsideringthehighendproducts,gototheirWebsites.Confusedbyallthedifferentproductsandsolutions?It'sintentional.You'resupposedtogetasales reptotellyouwhatyouneed,butjustincaseyouwanttofigureitoutalone,hereareafewpointers: ProductssuchasTivoli,OpenView,orUnicenterarenotdesignedtoworkrightoutofthebox.Whatyou'rebuyingisacoreproductandlotsofcomponent modulesthatprovidespecifictypesofcontrolandanalysis.Componentsarealsoprovidedtoconnecttothevariousmachinesinyournetworkforadvanced operations.Forexample,onecomponentmightbespecificallydesignedtointeractwithanOracledatabase. Thesecompanieshavecleverlydesignedtheirsolutionssuchthateveryhighendproductintheircatalogueisa"necessarycomponent."Putsomepressureonthe salesrepandwatchhowquicklythingsbecome"optional." Youmightnoticethatthingsyouthoughtwererelated(suchassecurityandnetworkmonitoring)aresoldasseparateproducts.Manyvendorssplituptheir softwarebasedonmarketingpotential,nottechnicalfunctionality.Sowhatshouldbeasinglesystemisactuallyfiveormoreseparatesystemswithoverlapping functionality.

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332

Page25 Thinktwiceaboutthethirdpartyapplicationsonyournetwork.Aretheyallabsolutelynecessary?Runningatightershipwillsimplifycommandcenterintegration. Withfewerunusualapplicationsrunning,lessinterfacecustomizationwillberequired.

Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

Ifyouaskanyofthesehighendvendorsaboutthesmallersolutions(includingopensource),theymayturntheirnoseup.Askthemtoexplainwhytheirsystemisbetter andthey'llpresentthreebasicarguments:features,scalability,andsupport.Allthreeareflawedarguments. Manyofthefeaturesthelargesystemsofferwillneverbeusedinpractice.ThinkaboutallthefeaturesinMicrosoftOfficethatarehypedupbutareunnecessaryfor conductingnormalbusinessinyourorganization.Ifthesmallersoftwaresolutionsdowhatyouwantthemtodo,whyshouldyoucareaboutfeaturesyou'llneveruse? Thebigplayerswilltellyoutheirproductsaremuchmorescalable.Theyreallyaren'ttheyjustrequirereallypowerfulequipment,andthatsameequipmentwill generallysolvethescalabilityissuesofmostsoftware. Supportisalsoatrickargument.Ifyouuseoneofthemajoropensourceapplications(Ganglia,Nagios,orOpenNMS),youmayfindcheaperconsultantsthatcan supportthesystem.Whatyoumaynotfindisstandards.Supportmightbeafractionofthecostthatmajorvendorscharge,butareyougettingthesamepeaceofmind andconsistentservice? Youmightfindthatnosingleopensourcesystemhasallthefeaturesyouwant.Thegoodnewsisyoucantrythemallindefinitely,becausetheyarefree.Thatsaid, someaspectsofthesesystemscouldcreateextranetworktraffic.Makesureyou'renotcongestingyournetworkwithoverlappingfunctionality. Opensourcesystemsoftenrequireadegreeoftinkeringthatisequivalenttogivingthespaceshuttleatuneup.Sometimeswhatissavedinlicensingfeesislostintime. Besuretohavetherightpeopleworkingontheprojectwhohavespecificexperiencewithopensourcenetworkmonitoringsystems.

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332

Page26

Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.

Thispageintentionallyleftblank

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332