Service Providers

The Blind Don’t Make Great Visual Inspections

by kfrankli on ‎02-07-2012 11:56 AM (357 Views)

There is a great quote by a French filmmaker named Robert Bresson that says, “make visible what, without you, might perhaps never have been seen". What the Frenchman states, though tied to film, is a fundamental pillar of network security, everyone in the organization needs to participate in network security and as a networking or security professional, you trust no one and know what everyone is up to.

In this installment of my blog on security, I want to focus on gaining visibility through applying the proper logging and monitoring controls to network devices. In general, network devices, though not specific designed to collect security information, can provide very valuable insight for forensics and for troubleshooting security related incidents. They provide an additional level of visibility that is location specific and, when analyzed properly, very insightful. Without a holistic level of visibility, it is very difficult to determine the security posture of your network and, more importantly, impossible to properly assess what users are actually doing to and on the network.

As with everything else in security, logging is only useful if you have a good policy around collecting and monitoring logs, which can be done most efficiently with a comprehensive Security Information and Event Management (SIEM) solution. There are several great solutions available in the market and I will leave it to you to evaluate them to determine which is best for the needs of your organization.

Once you have selected a SIEM, it is critical that you deploy a strategy for automatic log-reviewing, which should consist, at a minimum, of the following:

  • Instruct the SIEM to ignore all events that you know are safe or unimportant
  • The SIEM should highlight events that you know are dangerous
  • Email or print out all other events for periodic review

Of course, all of the above items require some forethought before they can be implemented. However, this goes back to what I stated above, good security starts with good security policies and practices. It will take some type to “tune” your SIEM to find the right amount of automation, but it is an important step in gaining the right level of visibility. Now, let’s look at some of the log information that can be collected in Brocade’s network devices.

Brocade devices can log events in several ways:

  • Console Logging – Console log messages are displayed on the console port or through a remote connection to the Privilege EXEC and Console CLI. By default, Brocade devices write their log event information to the local system log. From a forensics or basic security standpoint, it may be very valuable to see the real-time messages as they are being written without having to issue the “show logging” command to refresh the screen with the latest log events. You can enable real-time Syslog monitoring for the console’s serial interface or for a Telnet or SSH session.
  • Buffered Logging – Buffered logs are stored in the Brocade device’s logging buffer memory space. There is a limited memory space in the buffered area and newer log entries overwrite the oldest entries when the buffer is filled. Buffered logs are great for accessing the environmental posture of a device, which is important for guaranteeing network availability.
  • Syslog – Brocade devices allow you to specify a maximum of six external Syslog servers to send event information to, allowing you to store all device messages. Multiple severity levels are supported:
    • Emergencies
    • Alerts
    • Critical
    • Errors
    • Warnings
    • Notifications
    • Informational
    • Debugging
  • SNMP Traps – Brocade devices can be configured with SNMP to send alerts or traps to third party SNMP servers to log specific events. SNMP v.3 is recommended because of its more secure access methods. Here is a list useful information that can be collected via SNMP:

    • MAC address bindings
    • IP address bindings
    • Type of hardware and version of operating system
    • Router interface information
    • Router tables
    • ARP tables
    • Device up time
  • AAA Accounting – Brocade devices can be configured to send events and system messages to external TACACS+ and RADIUS servers using the AAA authentication, authorization, and accounting features. The benefits of using AAA access are:

    • Scalability of authentication for all networked devices
    • Centralized username and password control
    • Centralized logging of activities
    • Centralized authorization of privileges
  • ACL Logging – Brocade devices allow for the logging of violations to a specific Access Control that has been implemented. This should be used carefully, as applying logs to certain types of ACLs will consume CPU and/or system log resources

Each one of the log events is covered more exhaustively in Brocade’s manuals. However, the key to the use of these features is the level of visibility they provide for determining your network’s security posture. The better you understand the features the more comprehensive a security policy you can implement. In my next installment, I will talk about the role Brocade’s devices play in the overall Cloud Security framework.