Firewall Analyzer catches Spam Relays

Dec 08 2009 04:30:05 AM Posted By : Shri Shankar
Comments (0)

"Be Proactive than Reactive" is a slogan for any NOC (Network Operations Control) or network specialist. The basic requirement is to ensure that there is no compromise activity on your network, and ensure the policies on your perimeter are intact.

Here is a support case, we faced very recently from an enterprise, which had a very large compromise attempt, and how our SEM (Security Event Management) module provided them enough information to nail down the issue completely.

This enterprise is one of a premium data centers, with multiple Firewalls deployed across the globe. Firewall Analyzer - Distributed edition is deployed, where Log collectors were monitoring their critical Firewalls, and the Admin server was managed by the Network Operations Center (NOC).

The actual request for support with us was to set up mechanism through which they could know the traffic activity for a separate subnet, that holds some critical servers which holds the backed up data, along with  product customization.

Since, the subnet had mail-server, we thought of adding an "Anomaly Profile" which we normally advice to all customers as it's not uncommon for attackers to turn a compromised system into Spam relays. With this in mind, monitoring outbound TCP/25 activity from all systems but your legitimate SMTP servers is an excellent way of catching these transactors.

Withing 15 minutes after the setup, Voila .. we struck gold !! One of their critical server had been compromised (by internal user !!) to spam relays, and some how certain conditions on their PATting rules had a small glitch that added to their existing problem. Surprisingly, it was almost invisible and was done very smartly that nobody thought this as an cause of network chock.

The moral of the story is, explore the possibility of adhering to SIM and SEM objectives to be more "Proactive than being Reactive".

Here are some tips for your review.

1. Ensure to create some alert profiles (Normal / Anomaly), on Firewall Analyzer based on thresholds that best suit your requirement. Firewall Analyzer is a powerful tool, which can warn you the moment there is a compromise attempt on your network.

2. It is best practice for the NOC community to simulate such events by themselves to know how their devices react to these situations. We saw a minor configuration issue on their device policy that permitted this transactions. Always anticipate that the hacker community is more resourceful than you. Always check and double check.

3. Ensure all policies are tuned and optimized to secure their network. Do check Firewalls Rules Report, for more drill down.

4. Firewall Analyzer product throws strong reports and alerts, but a scheduled audit of raw logs by loading the archives to check the activities will surely provide better understanding and this should be translated towards tweaking the policies.

5. We are SIEM vendors, and do check with us constantly for any best practice to be done on the application side and get Out of the box solutions.

Posted Under : General
Tags : audit NAT SIEM SIM PAT NOC customization Compromise SEM rules report Anomaly Alert spam relays Alerts
Buzz it
Permalink Trackback

Firewall Analyzer's fall winter bundle on way!!

Nov 18 2009 06:13:40 AM Posted By : Shri Shankar
Comments (0)

Jingle bells are ringing on SIEM clouds!!

We have taken up support for Netflow logs on Firewall Analyzer, with more features on this bundle, probably a Christmas or a New year gift from Manage Engine shop.

For instance, a device's capability to throw Netflow packets were more restricted to devices like routers and switches. Cisco ASA v.8.2 firewall device has capability to throw Netflow packets along with syslogs. This is one of the mile stone achieved by Cisco.

Firewall Analyzer currently supports Syslogs for Cisco ASA device, and we intend to support Netflow logs from these ASA v.8.2 devices, very soon.

We are currently kick started our process to include log analysis for Netflow packets from Cisco ASA v.8.2 devices, apart from Syslog format support.

This being a top priority for us, we welcome your sample Netflow logs to include them in our test bed, and deliver solutions.

This feature enhancement along with a surprise bundle is planned to be premiered as a service pack over our current version,Firewall Analyzer .v.6.

Cisco ASA .v.8.2 users are requested to get in touch with our support for steps to be deployed on your device to generate sample logs, and  get upload links for sending us these sample logs.

Be rest assured, your logs are treated confidential, and used only to test and provide solutions.

Do get in touch with us, in case you need a quick sneak peak on our next feature pack. 

Thank you and Best regards,
Shri
Firewall Analyzer - Team



Posted Under : General
Tags : SIEM Cisco ASA feature enhancement NESL Netflow logs
Buzz it
Permalink Trackback

Security Software Spending and Uncertain Times of Economy

Oct 02 2009 08:56:53 AM Posted By : Ragavan S
Comments (0)

Read the blog post in EventLog Analyzer blogs about the Gartner report on security software by companies and the need of the high quality and less cost security products like ManageEngine.

Have a look at Firewall Analyzer Enterrpise Solution (Distributed Edition).

Posted Under : General
Tags : SIEM distributed enterprises spending Analyzer Gartner-survey IPS IDS VPN firewall-log security-management squid-log
Buzz it
Permalink Trackback

Search Posts
 
Latest Posts
Authors
Categories
BlogRoll

Twitter Updates

    follow me on Twitter
    © 2009 Corp. All rights reserved. Trademarks | PrivacyPolicy | Site Map | Contact Us | Careers