|
|
|
SPiDER-1
Agent l
SPiDER-1 Manager
l SPiDER-1
Console
SPiDER-1
Console
Analysis
Event Analysis and Audit are
important elements in risk management. Although many security systems
are deployed to minimize the risk level, vulnerabilities always
exist making need for systematic and organized measures to cope
with them.
Each individual security system has limitations
as below.
(1) Limitations of Firewall systems
 Open ports (DNS, WWW, SMTP, etc¡¦) : Some ports have to be opened to
make essential service possible.
Internal misuse/attacks : Attacks from internal users.
Inherent limitations (Firewall is not IDS) : It can only control access
that are configured in the security policy, but is not
able to detect and block attacks actively.
Configuration errors (human errors) : Sometimes the administrator might
mis-configure policies and allow certain access, which are misused
by attackers.
(2) Limitations of IDS systems
Too many false alarms : False alarms can lead to insensibility to alerts,
so that real alarms are not taken seriously.
IDS evasive methods (shell code, CGI scanners) : There exist many ways
to bypass the IDS.
Configuration errors (human errors) : Some attacks cannot be detected
due to configuration errors.
In order to overcome these limitations and maintain
flexible security policies, it is necessary to conduct continued
analysis and set up a feedback system. The need for such a continued
analysis is described in the following example.
Let¡¯s assume,
that an access from the outside is attempted via FTP to the internal
network.
The IDS log will look like the following in the
attempt to access the internal address (211.45.162.86) from the
external address (211.45.162.58)
- Example of an IDS Log
-
The IDS system is not able to judge about the attack
pattern and its result (that is, whether the access was allowed
or denied).
The result of that attack pattern can be found
in the log of the firewall, and the log of the above event will
look like this:
- Example of a Firewall Log -
As
shown in the above picture, it can be seen that the access to the
destination address was allowed.
That is, the type of action
(accept or deny) can be confirmed, but it is not possible to judge
about the result and status after connection is established to the
destination address (211.45.162.86). The reason for this uncertainty
is, that the user ID and password received through the FTP might
or might not pass the authentication process.
In order to
get confirmation about the status after the connection is established,
it is necessary to analyze the logs of the internal system of the
destination address.
The final result would look the picture
below:
- Example of the System Log -
The
picture shows that the user has logged in with the user ID ¡°guest¡±
from the external address (211.45.162.58) to the internal address
(211.45.162.86) and used FTP for one minute.
Using such
a continued analysis method for events, it is possible to prevent
and delete consistently certain risk elements through real-time
analysis and alert.
- Structure of Risk-Minimizing Security
Management -
Statistics Report
The report puts all the detected
risk elements, attacks, and intrusions etc. of each security system
in figures and helps to quickly configure policies against the security
vulnerabilities and exposures.
The report includes all the
elements below:
Status queue of traffic flow
Status queue of major denied events
Status of TOP n access (protocol, system, service, etc.)
Summary of intrusion patterns
List of major attackers
TOP n black list (attacked systems, attack type, etc.)
Status queue of used system resources (CPU, Memory, etc.) by the day
and hour
The report also displays various graphs and tables
of statistics.
The analytical part of the statistics report
includes all categories under surveillance such as the Firewall,
IDS, general systems of major importance, and the status queue of
system use.
- Example of a Statistics Report -
|
|
