Académique Documents
Professionnel Documents
Culture Documents
Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.
Chapter2 ManagingSecurity:SystemsandNetworkMonitoring
Thesetoolsallowforcentralizedanalysis andcontrolofnetworksystems.
TechnologyOverview
TheRomanEmpirehadasecuritymanagementproblem.Aspowerfulasitwas,itdidn'thavetheresourcestomonitorandenforcesecuritythroughouttheentire Europeancontinent.Invadersattackedtheweakpointsandslowlyworkedtheirwayinward.Asaresult,Romefell. Isyournetworkstartingtofeellikeanempire?Asyournetworkgrows,italsobecomesmuchhardertomanage.Problemsinsomeoftheleastsignificantmachinescan eventuallyturnintonetworkthreateningsituationsifthey'renotdulymanaged.Don'tunderestimatetheseriousnessordifficultyofthisresourceproblemafterall,it stumpedthemostpowerfulcivilizationinhistory. Thekeydifferencebetweenlargeempiresandlargenetworks(asfarasthisbookisconcerned)isthatmodernnetworksystemsaredesignedwithremote
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332
Page20 managementinmind.1 Thismeansthatasinglecentralstationcancontrolthousandsofnetworkdevices,workstations,andserversacrossanentireenterprise. Everythingfromsimplestatusreportstocomplexsoftwareinstallationscanbedonefromoneplace.Technicalsecuritypoliciescanbeimplementedandmonitoredwith ease.Builtinanalysissystemscancreatereportsformanagement. Centralizednetworkmonitoringsystemsusevarioustechniquestoconnecttoyourequipment.Forexample,theSimpleNetworkManagementProtocol(SNMP)is acommonlyusedsystemthatenablesnetworkdevicestoberemotelymonitored,controlled,andconfigured.It'snotstandard,butmostnetworkhardwareand operatingsystemssupportSNMP. Unfortunately,SNMPisneitherpowerfulnorsecureenoughtomanagecertaincomplexdevicessuchasroutersandfirewalls.Thesesystemsoftenhavetheirown remotecommandinterfacessothatcontrolcenterapplicationscantalkdirectlytothedevices. Softwareandservicesrunningonyournetworkalsohavetobemonitoredandmanaged.ManycontrolcenterapplicationscanmonitorcommonsoftwaresuchasWeb andemailservices.However,activelymanagingthesesystemsisamuchmorecomplextaskbecausenonstandardsoftwarehasalreadybeendominatingthis environment.It'sdifficult,vergingonimpossible,forthecreatorsofcommandcenterproductstoincorporatecompatibilitywitheachofthethousandsofnetwork applicationsonthemarket. Integratingwithmoderncommandcenterapplicationstakesanunusualmixofknowledgethatspansanumberofdistinctlydifferentfields.That'samajorreasontohire consultantstocreateinterfacesforold,nonstandard,andcustomsystems.Hiringconsultantsisnaturallymorecommonwithlarger,enterprisewidenetworks,dueto theprevalenceofincompatiblehardwareandsoftware.
Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.
HowSystemsandNetworkMonitoringWork
Settingupanetworkmonitoringsystemisaninvolvedprocessthatwilltakesometimetodocorrectly.Theprocedurecanbebrokendownintothefollowingsixsteps: 1.Strategicdesign:Beforeanymonitoringhappens,someoneneedstodecidewhattomonitoranddesignasystemtomonitorit.Thisisacomplicatedstep(touched onintheintroductiontothispart),requiringacombinationofbothbusinessandtechnicalanalysis. 2.Implementation:Atthisstep,monitoringtoolsaredeployedandintegratedwithexistinghardwareandapplications.. 3.Tuning:Oneofthefirsttasksistotunetheamountofinformationgeneratedbythemonitoringtools.Thesesystemscangeneratealotof
1
Countrieswerenotbuiltforremotemanagement.Notconvinced?GotoLondonandasktoseetheGreatBritishEmpire.Theykeepitsremainsinajarsomewherenear Piccadilly,sowe'vebeentold.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332
SecurityConsiderations
It'sdifficulttoenforcesecuritypolicies.Withoutamonitoringsystem,policybreachesandtechnologyfailurescangoundetected,butacentralizedmonitoringsystem canhelpyouensurepolicycomplianceandmakeacomplexnetworkmanageable. Byanalyzingthedatafromthemonitoringsystem,youcanfigureoutifyoursecuritypoliciesandenforcementtoolsareeffective.Theanalysisalsogivesexecutive managementthefeedbacknecessarytoadjustandrevisetheirsecurityphilosophyandpoliciesperiodically. Networkmonitoringsystemsdohaveafewcaveats.Thefirstiscompatibility.Ifyou'reusingstandardequipmentandrunningstandardsoftware,2 yourmonitoring problemsshouldbeminimal.Butifyouhavelegacyequipmentorcustomsoftwarethatyouwantmonitored,thingsbecomemuchmoredifficult.Youwillprobablyhave togetconsultantstoaddsupportfornonstandarddevices.
2
"Standard"meansuniversallyacceptedandsupported.Thesesoftwareandhardwarestandardsinclude,butarenotlimitedto,thefollowing:Sun,Oracle,Microsoft,IBM, Cisco,HP,Intel.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332
Ironically,acentralmanagementsystemcanactuallyweakensecurity.Thinkaboutwhathappensifahackergetsintoyourcentralmanagementsystem.Hehas immediateandtotalcontrolofyournetwork.Insomecases,hedoesn'tevenneedaccesstothecentralsystemhejusthastoimpersonatethesystem.Althoughsome networkdevicesandservershavesecuremechanismsforperformingremoteadministration,othersdon't.Youmightwanttoconsiderdisallowingcentraladministration machinesonsystemswithweakoverallsecurity. Theseapplicationswillonlydisplaywhatthey'vebeendesignedtoobserve.Whatifthecentralsystemismissingsomethingcriticalorisnotworkingcorrectly?The bottomlineisthatsecurityrequirestheinvolvementofskilledhumanbeingsatsomelevel.You'llneedtohavesomespecialistsonstaffthatcantellwhensomething's wrong,evenwhenthesystemsaysthatalliswell. Someofthesesystemsmakeitalltooeasytodefineandimplementsitewidetechnicalsecuritypolicies.Securitysensitizedinformationtechnology(IT)staffcanbe temptedtocreatearbitrarytechnicalpoliciesthatarenotmandatedbyexistingorganizationalpolicies.Thisistheclassic"solutioninsearchofaproblem"situation.It happensbecausetheapplicationsonlyhandlesecurityasatechnicalprocess,notasabusinessorphilosophicalprocess. Faultsaside,withoutcentralcommandsystems,itwouldbeimpossibletobuildandmaintainlargenetworks.Justthemonitoringaloneiscritical.Imaginehowdifficultit wouldbeifyouhadtomanuallycheckthestatusofhundredsorthousandsofserversanddesktops.Thesetoolsalsoautomateroutinesthatotherwisetakeupmassive amountsoftime,suchasdeployingupdatedsoftware.Simplifyingbasicnetworkmanagementtasksmeansthatlessexperiencedemployeescanmonitorthenetwork effectively.ThiscansaveyourcompanymoneyinITstaffing,whichalwaysmakesmanagementhappy. Havingabird'seyeviewofyournetworkisalsoabigadvantage.Manyofthesesystemshavevisualizationtoolsthatcanshowyoua2Dor3Drepresentationof yournetworkanditsstatus.Ifapictureisworthathousandwords,thesepicturesareworthaboutamillionpagesofstatusreports.
MakingtheConnection
Cryptography:Datatravelingacrossthenetworkcanbeencryptedforaddedsecurity. Outsourcing:Networkmonitoringisfrequentlyoutsourced,whichhasmanybenefitsandissues,enoughthatitgetsitsownchapterinthenextpart. Disasterprevention:Propermonitoringcanhelpdetectminorfailuresbeforetheybecomemajorones.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332
Page23 Proactivesecurity:Datagatheredwhilemonitoringcanmakeriskmanagementtechniquesandforensicsmucheasier.
Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.
Determiningidentity:Accessattempts,successes,andfailurescanbemonitoredtodetectintrusions. Preservingprivacy:Datacanbeusedtoassembleprofilesonusers.Thismightbeabenefitoraproblem,dependingonyourorganizationalpolicies. Networkinghardware:Mostnetworkhardwareisdesignedtoprovideinformationtomonitoringsystems,eitherthroughSNMPorsomeothersystem. Firewalls/proxies:Thesedevicesarethefirstlineofdefensefromtheoutsideworldandcanhelpidentifyproblemsandabuseinsideandoutsidethenetwork. Storage:Fulldiskdrives,exceededquotas,andfilecorruptioncanbedetectedbymonitoringthelocalfilesystemsofcriticalmachinessuchasservers.Performance, dataaccessproblems,andcorruptioncanbedetectedandfixed. Detectingintrusions:Mostintrusiondetectionsystemsarebuiltaspartofalargermonitoringapplicationortheyareintegratedwithcentralmonitoringapplications. Thetwoconceptsarecloselyrelated. Expeditingrecovery:Agoodmonitoringsystemimmediatelyindicatesanyproblemthatrequiresdisasterrecovery.Thefasteraproblemisidentified,thefastera solutioncanbeexecuted.
BestPractices
Thebiggestprobleminimplementingnetworkmonitoringisdeterminingwhichcommandcentersoftwareisrightforyournetwork.Afterall,youwon'tfindthistypeof softwaresittinginashrinkwrappedboxatyourlocalcomputerstore. Thecurrentcropofnetworkmanagementsystemsfallsintothreeclasses.Infirstclass,you'llfindextraordinarilyexpensive"solutions"3 ,suchasIBM'sTivoli,HP's OpenView,andCA'sUnicenter.Inbusinessclass,you'llfindsmallervendorsandconsultants.Backincoach,you'llfindabunchofopensourcesoftwaredevelopers eatingpeanutsandhackingintotheinflightentertainmentsystem.TheyhavecreatedfreesystemscalledNagios,Ganglia,andOpenNMS. Whichwayyougodependsonthesizeofyourcompany.Ifyourcompanyishuge,withanetworkconsistingofthousandsofcomputers,you'llwanttolookatthe highendsolutions.Ifyou'reabusinessthatcanfreeuptimebutnotmoney,orifyouhaveasavvyITdepartmentwithUnixskills,theopensourcesystemsareagreat placetostart.Itcanalsobehelpfultotalktoafewconsultingfirmsthatofferproductsorservicesthatfityourneeds.Oftentherightconsultantscanimplementand manageoneoftheopensourceorlowcostsolutionsprovidedbynichevendors.
3
Bysolution,wemeantheproduct+implementationconsulting+newservers+newnetworkinghardware+yearlylicensing+permanentoperationalconsulting+technical supportcontract+hardwaremaintenancecontracts+softwareupgradecontract.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332
FinalThoughts
Ifyouareconsideringthehighendproducts,gototheirWebsites.Confusedbyallthedifferentproductsandsolutions?It'sintentional.You'resupposedtogetasales reptotellyouwhatyouneed,butjustincaseyouwanttofigureitoutalone,hereareafewpointers: ProductssuchasTivoli,OpenView,orUnicenterarenotdesignedtoworkrightoutofthebox.Whatyou'rebuyingisacoreproductandlotsofcomponent modulesthatprovidespecifictypesofcontrolandanalysis.Componentsarealsoprovidedtoconnecttothevariousmachinesinyournetworkforadvanced operations.Forexample,onecomponentmightbespecificallydesignedtointeractwithanOracledatabase. Thesecompanieshavecleverlydesignedtheirsolutionssuchthateveryhighendproductintheircatalogueisa"necessarycomponent."Putsomepressureonthe salesrepandwatchhowquicklythingsbecome"optional." Youmightnoticethatthingsyouthoughtwererelated(suchassecurityandnetworkmonitoring)aresoldasseparateproducts.Manyvendorssplituptheir softwarebasedonmarketingpotential,nottechnicalfunctionality.Sowhatshouldbeasinglesystemisactuallyfiveormoreseparatesystemswithoverlapping functionality.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332
Ifyouaskanyofthesehighendvendorsaboutthesmallersolutions(includingopensource),theymayturntheirnoseup.Askthemtoexplainwhytheirsystemisbetter andthey'llpresentthreebasicarguments:features,scalability,andsupport.Allthreeareflawedarguments. Manyofthefeaturesthelargesystemsofferwillneverbeusedinpractice.ThinkaboutallthefeaturesinMicrosoftOfficethatarehypedupbutareunnecessaryfor conductingnormalbusinessinyourorganization.Ifthesmallersoftwaresolutionsdowhatyouwantthemtodo,whyshouldyoucareaboutfeaturesyou'llneveruse? Thebigplayerswilltellyoutheirproductsaremuchmorescalable.Theyreallyaren'ttheyjustrequirereallypowerfulequipment,andthatsameequipmentwill generallysolvethescalabilityissuesofmostsoftware. Supportisalsoatrickargument.Ifyouuseoneofthemajoropensourceapplications(Ganglia,Nagios,orOpenNMS),youmayfindcheaperconsultantsthatcan supportthesystem.Whatyoumaynotfindisstandards.Supportmightbeafractionofthecostthatmajorvendorscharge,butareyougettingthesamepeaceofmind andconsistentservice? Youmightfindthatnosingleopensourcesystemhasallthefeaturesyouwant.Thegoodnewsisyoucantrythemallindefinitely,becausetheyarefree.Thatsaid, someaspectsofthesesystemscouldcreateextranetworktraffic.Makesureyou'renotcongestingyournetworkwithoverlappingfunctionality. Opensourcesystemsoftenrequireadegreeoftinkeringthatisequivalenttogivingthespaceshuttleatuneup.Sometimeswhatissavedinlicensingfeesislostintime. Besuretohavetherightpeopleworkingontheprojectwhohavespecificexperiencewithopensourcenetworkmonitoringsystems.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332
Page26
Copyright 2004. McGraw-Hill Professional. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.
Thispageintentionallyleftblank
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 10/12/2011 7:09 PM via BIBLIOTECA DIGITAL DEL SISTEMA TECNOLOGICO DE MONTERREY 9780071433556 ; Albanese, Jason, Sonnenreich, Wes.; Network Security Illustrated Account: s8461332