|
SPiDER-1
Agent l
SPiDER-1 Manager
l SPiDER-1
Console
SPiDER-1
Agent
Event Collection
Five collectors
in the Intelligent Agent collect events. This function
can be enabled or disabled in the Option tab at the
time of installation. The five collectors are organized
as a thread in the Agent.
(1) Collectors
The
Collector observes events and transforms them into a
standardized format. Each collector is composed of a
thread that can be executed individually and collects
all events related to security, such as network equipment,
firewall, intrusion detection, server security system,
Syslog message of UNIX, Windows event logs etc.
-
Collector
Structure -
There are five types of Collectors:
 API Collector
Events are collected through the API
provided by the vendor. This would be the
case for Check Point¡¯s FireWall-1 or CA¡¯s
eTrust Access Control.
SNMP Trap Collector
Events are collected through the SNMP
Trap. This method is used by RealSecure
and BlackICE of ISS, Dragon of Enterasys,
and SecoShield of SECOS.
Syslog Collector
Events are collected through a Remote
Syslog. NetScreen of NetScreen, and PIX
of Cisco belong to this type.
Log File Collector
This type is used, if the events are
managed in log files. ITA of Symantec is
an example of this type.
System Collector
Collects events about major systems (Integrity
check information about major files, and
information about the CPU, Memory, Process,
Disk etc.)
- Event Collection/Management Process -
(2) Objects
To Be Collected
Network Equipment
Collecting events from network equipment,
such as from the router or switch in order
to observe their status of operation.
Firewall and Virtual Private Network
Collecting events from the firewall and
VPN including traffic logs, alert logs and
warning logs.
Intrusion Detection
Collecting detected intrusions from the
IDS including both host and network-based
IDS systems.
Server Security System
Collecting events related to server-based
access control such as CA¡¯s eTrust Access
Control or Symantec¡¯s ITA.
Content Filtering
Collecting events such as logs from mail
filtering or Internet access control products.
Virus Vaccine
Collecting events from virus vaccine
executions and their results.
Web/Proxy
Collecting security- related events from
the Web Server or Proxy Server.
System
Collecting events about the system (information
about CPU, Memory, Process, Disk or the
integrity of major files and system information).
(3) Range of Collection
A template
is provided where policies of the collectors can be configured and
user environment and management regulations can be defined.
Normalization
All collected events of each category
pass by the Normalization Process, which standardizes the different
formats of the events in order to facilitate their management. The
Normalization Process is to enable the analysis and alert function
by standardizing the events of similar fields for each category.
Firewall and Virtual Private Network (VPN)
The fields and information of each firewall
and VPN with their traffic logs, alert logs,
and warning logs will be different. In order
to standardize the differences, the normalization
process will proceed as in the picture below:
- Normalization Process of Firewall &
VPN -
Intrusion Detection System
The event fields of each IDS system are
all very similar. However, the name or category
of attacks, the attack level etc. are defined
and used differently. Therefore, the normalization
process standardizes the events by using
the SPiDER-1 mapping table.
- Normalization Process of Intrusion
Detection -
Server Security System
Normalizes each field of the event
logs related to server-based access control, so that any other product
that is integrated at a later time can be managed easily.
System
Normalizes and manages each field of the event logs
in the system (Unix¡¯s Syslog, Windows¡¯ event logs etc.).
Others
The same normalization process is conducted also for
other equipment or systems that belong to the list of the collectors.
|
