Log Audit Ensuring Behavior Compliance

Log Audit Ensuring Behavior Compliance
Log Audit Ensuring Behavior Compliance
Secoway eLog System
As organizations strengthen informatization construction, their
application systems (service systems, operating systems, databases,
and Web servers), security devices (firewalls and the UTM, IPS, IDS,
VPN, DPI, and AV devices), and network devices (routers, switches,
and access devices) expand continuously. It is urgent to set up a
comprehensive and unified log management system for managing all
logs covering the network layer, system layer, and application layer.
and Web servers, such as backdoor Trojan horses, SQL injections,
Web tampering, and internal data tampering. How to detect and
tackle the security incidents? How to investigate the incidents and
collect evidence?
To help organizations address these concerns, Huawei Technologies
Co., Ltd. (Huawei for short) launches a comprehensive log
management and security audit system, namely, Secoway eLog.
Security incidents appear one after another on hosts, databases,
“Footmark” Record
Session Log Management
■■ The eLog system collects, parses, and stores session logs (NAT
logs) generated by firewalls, routers, and switches.
■■ It accurately traces the NAT process to provide evidence for
investigation.
Behavior “Exposure”
Network Behavior Audit and Management
■■ The Secoway eLog system collects live statistics and displays
reports on various traffic such as basic traffic, application-specific
traffic, interface-specific traffic, and P2P traffic.
■■ The Secoway eLog system provides reports also on UTM features such
as IPS, mail filtering, AV, URL filtering, and IM monitoring and blocking.
■■ The Secoway eLog system analyzes the bypass probe device
on application-layer protocols such as FTP, Telnet, and HTTP.
According to analysis results, the Secoway eLog system monitors
high-risk operations and alerts administrators to take immediate
actions against suspicious behaviors.
■■ The Secoway eLog system audits operations for the DB2, Oracle,
Informix, Sybase, and SQL server databases to provide visibility
into current database operations and ensure data security.
User Behavior Audit and Management
Centralized Management
Unified Log Management Platform
■■ The Secoway eLog system logs the following devices:
•• Huawei’s security devices, routers, switches, and BRAS devices.
•• Other vendors’ security and network devices.
HUAWEI TECHNOLOGIES CO., LTD.
•• Hosts, databases, and Web servers.
•• Standard syslog devices.
■■ The Secoway eLog system collects, categorizes, and stores all logs
in a reliable and large-capacity disk array.
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Intelligent Security
User-centric Alarm Management
■■ The administrator can configure alarm policies if desired. The
Secoway eLog system automatically informs the administrator in
different ways when an event matches alarm policies.
■■ The administrator can learn live alarm statistics on the entire
network or a specific device to gain visibility into the network
security posture.
Flexible Network Deployment
■■ Its distributed architecture allows the Secoway eLog system to
smoothly upgraded from the centralized mode to the distributed
mode without affecting the current network structure.
High Security and Reliability
■■ The Secoway eLog system has the following reliability features:
•• Supports HTTPS access to ensure data security.
•• Uses the buffer mechanism to avoid data loss in the case of
network failures.
•• Provides highly reliable storage and management of massive
logs, covering log compression, log backup to tape drives, and
quick disaster recovery.
Application Scenarios
Collecting Evidence — NAT/PAT Tracing
Enterpri
se, Hote
l, Home
, Public
Place
T
NA
Binary log
Secoway eLog
Eudemon
BRAS
NE40/80
Gateway
•• Due to limited IP, for most enterprises, the gateway is used to perform NAT or PAT.
•• Security events often occur on the internal or external network through the gateway. Thus, evidence can be colleted by recording NAT
or PAT information.
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Behavior Control
Virus intrusion and spreading
External intrusion attacks
Secow
ay eLo
g
log
DB
Enterpri
se
IM software such as MSN, Yahoo
File sharing such as the email, FTP
P2P software that are used to watch
films or surfing online, play games,
or visit entertainment sites
log
FTP/TeInet
FTP, Telnet, and
HTTP access
Eudemon
Probe
•• The Eudemon logs the virus and attack events and attempts to visit prohibited Web sites or use prohibited applications such as P2P. The
elog system can collect the loge, alert the administrators, and provide reports.
•• The bypass probe device can analyze the mirrored traffic and log the operations made to databases, operating systems, or other
resources through FTP, Telnet, and HTTP. The elog system collects the logs and can intuitively display the statistics.
Global Log Management
External
network
Iog
Firewall and UTM
Secoway eLog
Lack of the unified log
management center
Little knowledge of
attack defense status
Difficulty in assessing
the effects of security
devices
OS
se
Massive logs are not analyzed
High-speed and massive flow
logs cannot be managed
Limited types of reports
Web server
BRAS
Database
Enterpri
DPI
Switch
Router
VPN
IDS and IPS
•• Through customization-based development, the logs of all devices, databases, servers, and hosts are analyzed and managed for data
protection.
•• Logs are audited based on the preset security policies and alarm policies.
•• Law compliance requirements such as Ministry of Public Security Decree No. 82 and SOX are met.
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Product Specifications
Feature
Function
Description
Log collection
The Secoway eLog system can collect logs in a complex network environment such as dual-system
hot backup of the Eudemon firewalls.
It collects the logs of various devices in syslog, SNMP trap, OPSEC, FTP/SFTP, WMI, and JDBC modes
without using any agents.
Log categorization and
storage
The Secoway eLog system:
•• Categorizes logs by content. Logs can also be divided into online logs, dump logs, and backup
logs by storage time.
•• Encrypts and performs integrity check on log files.
Log search
The Secoway eLog system:
•• Provides device-specific search conditions and displays the results.
•• Supports background search. Search conditions can be saved in a template for future use.
•• Exports search results into .txt, .cvs, or .xls files to facilitate distribution and offline viewing.
Policy association
The Secoway eLog system supports user-defined audit policies and alarm methods.
Session association
The Secoway eLog system associates user operations. Specifically, it associates the operations
performed between the logins and logouts of a user as a session.
Log audit
Regulatory compliance
report
The Secoway eLog system provides diversified reports on user access, user logins and logouts,
login failures, administrative operations, password change and expiration, audit policy change, and
directory access.
Behavior log analysis
Log search and analysis
The Secoway eLog system supports the ability to search for logs by protocol, time range, source IP
address segment, destination IP address segment, user name, operation type, operation object, or
keyword, and generates search reports.
Log analysis
Firewall logs can be searched for by time range, log level, log type, or keyword. The Secoway eLog
system provides the refined search for various logs such as NAT logs.
Traffic report
The Secoway eLog system can generate reports on the following traffic:
•• Live traffic
•• Basic traffic
•• Application-specific traffic
•• Interface-specific traffic
•• P2P traffic
•• P2P CLASS traffic
•• P2P user traffic rankings
Log report
The Secoway eLog system can generate the following log reports:
•• Log trend
•• Attack defense
•• Packet filtering ACL triggering rule rankings
•• Packet filtering protocol rankings
•• Content filtering destination IP address rankings
•• Content filtering source IP address rankings
Log management
Audit event
management
Firewall log analysis
The Secoway eLog system can generate the following IPS reports:
Firewall UTM analysis
IPS
•• Attack behavior rankings
•• Attack event rankings
•• Attack event trends and attack event rankings
You can search for intrusion prevention details by device, time, alarm level, protocol, operation,
source IP address, or keyword.
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Feature
Function
Description
The Secoway eLog system can generate the following mail filtering reports:
Mail filtering
IM monitoring
The Secoway eLog system can generate reports and logs on the use of the IM software.
AV
The Secoway eLog system can generate the following AV reports:
•• Ranking of the most frequently detected viruses
•• Ranking of the most infected file types
•• Anti-virus breakdowns
•• Reports showing users who have sent files infected with viruses
•• Reports showing virus distribution periods
URL filtering
The Secoway eLog system can generate the following URL filtering reports:
•• Rankings of the source IP addresses that send most Web site requests
•• Rankings of the most frequently visited sites
•• Rankings of the most frequently visited Web URLs
•• Web visit quantity trends
Real-time monitoring
of resource usage
You can monitor the current CPU, memory, and disk space usage of the SIG back-end servers.
SIG log analysis
You can view the logs of the SIG resource usage and the following reports on the SIG back-end
server:
•• CPU usage reports
•• Memory usage reports
•• Disk usage reports
Alarm responding and
monitoring
The Secoway eLog system can alert administrators by email, text message (a GSM modem is
required), sound and light (an alarm box is required), sound (an audible box is required), or related
programs.
You can use the console to monitor current alarms by device, alarm level, or alarm type.
Alarm search
You can search for alarms by device, time range, alarm level, alarm type, or keyword.
The search results are available in .txt, .cvs, or .xls files.
Alarm report
You can view the following alarm analysis reports:
•• Alarm quantity trend analysis
•• Device alarm quantity rankings
Device management
The Secoway eLog system manages up to 1000 devices and supports device import and export in
batches.
User right management
The Secoway eLog system defines three roles, namely, administrator, operator, and auditor. The
administrators can define operators and allocate them the rights of managing different devices.
Syslog
The Secoway eLog system automatically records device failures and major status changes, so that
the administrator can learn about the operating status of each device.
System information
monitoring
The administrator can:
•• View the license status.
•• View current information on the key resources (CPU, memory, disk space, and current log
amount).
•• Monitor all user sessions and log users off.
SIG log analysis
Alarm management
System management
•• Rankings of source IP addresses that send most emails
•• Email quantity trends
You can search for email audit logs by device, time, filtering type, email protocol, destination IP
address, source IP address, or keyword.
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-110019999-20110805-C-1.0
www.huawei.com
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising