 |
|
|
LANguard S.E.L.M LANguard�s Security Event Log Monitor (S.E.L.M.) is a Host-based Intrusion Detection System with a difference. Firstly, it does not rely on agent software on the hosts being monitored, and secondly, it monitors the Windows NT/2000 event logs only. Windows NT/2000 provides the means to record all security-related events in its Security Event Logs. Logon activity, failed logons, supervisor activity, file access � they can all be logged in the Security Event Log. Unfortunately, there are a number of problems that make this data less than useful: Configuration � None of this data is recorded by default. It is the responsibility of the administrator to establish an audit policy and specify which events should be monitored. Novice administrators are rarely up to this task. Reactive � There is no real-time monitoring or alerting capability built in to the operating system. This means that critical security events can often remain unnoticed until an administrator decides to check the log files. Lack of analysis � There are no reporting or analysis tools built in to the operating system, making correlation of events extremely difficult. The only tool available for examining events is the Windows Event Viewer � a rudimentary tool offering very basic viewing facilities and little else. Likewise, there is no means to consolidate alerts from multiple machines � each log file is stand alone. Finally, there is no automatic archival capability. Lack of detail � Each event in the Security Event Log is assigned a cryptic numeric code rather than a meaningful description. Nor is there any detail on the possible cause of the alert. This makes analysis difficult for the inexperienced administrator. LANguard S.E.L.M. provides the means to monitor multiple Security Event Logs around a corporate network in real time, providing instant notification of critical security events. Configuration and management is performed from a central console, as is log consolidation and detailed analysis. LANguard S.E.L.M works by retrieving on a real time or schedule basis all the events from the server and workstation event logs. It then analyses each event and determines the security level of the event, alerting the administrator when necessary (depending on how critical the event is). All events are then archived automatically, offering subsequent centralised reporting and reviewing of security events. LANguard S.E.L.M. consists of the following modules: Collector Agent - This module retrieves all the events from the remote hosts being monitored. The Collector Agent is a high performance service that can retrieve events from many computers using an advanced scheduling algorithm based on computer security levels. It is not necessary to install this on each host to be monitored - a single, central Collector Agent is required, and this uses native Win32 APIs to collect security events from other computers on the network. Alerter Agent - This module alerts the administrator to security events. Alerts can be transmitted via email, SMS or pager (using an email-to-SMS or email-to-pager service). Archiver Agent - This module saves each and every event record which is read and processed by the LANguard S.E.L.M. collector agent to a centralised database back-end, which can either be an MS Access database or an MS SQL Server. Storage in a standard database format allows the administrator not only to use the built-in reporting capabilities, but also third-party reporting tools such as Crystal Reports. Event Viewer - The LANguard Event Viewer combines all features found in the standard Windows Event Viewer, but adds much more advanced searching, filtering and event management options, providing increased scope for detailed analysis (especially since LANguard events provide much more detail than standard Windows events). LANguard S.E.L.M. Configuration � This module allows the administrator to configure which machines are to be monitored, as well as set the operational parameters for the other LANguard S.E.L.M. components. LANguard S.E.L.M. Reporter � This module allows the administrator to create numerous reports based on the events which have been collected and processed by the Collector Agent. Microsoft�s Message Queue technology is used to maintain high performance communication between the internal components of LANguard S.E.L.M.. As with any other Host-based IDS, LANguard S.E.L.M. is not impaired in its operation by the use of high-speed switching infrastructures or the use of encryption across the network. In fact, LANguard benefits greatly from the fastest LAN possible, since the faster the connection, the faster the log retrieval. Depending on the components already installed on your network (LANguard requires at least MMC 1.2, IE 5, MDAC 2.5 and Microsoft Message Queuing Services (MSMQ) in order to operate) the installation of LANguard S.E.L.M. can be extremely straightforward. Most users of recent Microsoft operating systems will find that MSMQ is the only item that needs to be installed, and this is covered in plenty of detail in the excellent documentation. Having covered the preliminaries, the installation of LANguard S.E.L.M. itself is quick and simple, since it involves only a single, central console. During installation, the administrator is taken through an initialisation wizard, at the end of which the product is ready to begin collecting event log data.� Before that can happen, of course, it is necessary to configure each host with a security policy that specifies which events and objects should be logged. Auditing can be set to monitor both operating system events � logons and logoffs � as well as individual object accesses. An object in windows NT/2000 is anything from a file system object to a registry key to a printer. It is thus possible to monitor critical programs such as cmd.exe, net.exe, tftp.exe and ping.exe for use in unusual circumstances (either or both successful or failed access attempts can be monitored). For example, when an attacker runs cmd.exe using the UNICODE exploit, it is actually run by the Internet Guest Account (IUSR_machinename). On the other hand, a successful buffer overflow exploit may leave an attacker running cmd.exe as the SYSTEM account. Since neither of these users should legitimately be running cmd.exe, LANguard can log such events and inform the administrator immediately. Once again, the excellent documentation takes the administrator step-by-step through configuring an appropriate audit policy and applying it to a large number of workstations and servers across a corporate network. In an NT4 environment, this can be a painful and laborious process. Administrators of Windows 2000 networks using Active Directory, however, can simplify this process by using Group Policies. Everything in LANguard S.E.L.M. is controlled from the Configuration MMC snap-in module. The first task is to select the hosts that will be monitored by LANguard, and this can be done by entering IP addresses directly or by browsing the network. For each host monitored, it is possible to set a normal operational time, a notional security level (high, medium or low, where a domain controller might be high, and a user workstation low), a scanning schedule, and whether the event logs on the host should be purged after they are transferred.
The scanning schedule can be �real time� (i.e. every five seconds) or at longer intervals, and every machine can have an individual schedule. This is useful, since a balance needs to be struck between operational efficiency and network resources � every machine on the network transferring log files every five seconds might well create a Denial of Service attack of its own! With individual schedules, however, it is possible to have critical machines � such as domain controllers or key eCommerce servers located in the DMZ � scanned every few seconds, and low priority user workstations scanned once or twice a day. The Event Categorisation Rules are the heart of the LANguard S.E.L.M. security policy, since they specify how a combination of time, host security level and event ID will be treated � whether the resulting alert will be allocated a Critical, High, Medium or Low status, and whether the administrator should be notified immediately or the event simply recorded for later analysis. Different sets of rules are provided for domain controllers, servers and workstations, and for NT4 and Windows 2000. The same event can thus be interpreted differently depending on the role of the host and the operating system installed. Sensible default policies are provided out of the box, but it is a very straightforward matter to amend these to suit individual requirements.
An example of where these distinctions are important is in the case of network logons. When a connection is made to a computer over the network � to access a shared folder, for example � Window 2000 logs event ID 540,� but NT4 logs event ID 528 with logon type 2. Network logons to domain controllers and servers are obviously a common occurrence and shouldn�t be regarded as suspicious during normal working hours. However, in a network with centralised servers, users would not normally access resources on other workstations, and consequently the same event on a workstation could be regarded as suspicious. Thus a combination of the security level of the host, the time of day, the operating system and the event ID are brought together intelligently by LANguard S.E.L.M. in order to make in informed decision on whether a suspicious activity is in progress. The only real means of instant alerting is via e-mail (SMS and pager alerts are provided via the appropriate e-mail gateways). It would be nice to see Winpopup message and SNMP alerting capabilities added to the product. Low priority alerts are simply recorded in the central database for later reporting and analysis purposes. In normal operation, the Collector Agent uses the scanning schedule to determine how often it needs to retrieve the security event log entries from each machine it is monitoring. As it retrieves the event log entries, it compares each one with the Event Categorisation Rules in order to determine the severity of the alert and takes the appropriate action. Once this has been completed, it simply moves on to the next host, and continues in a loop until the Collector Agent service is stopped or until the central console host is shut down. Clearly it does not matter if the central console is unavailable for any length of time (except that critical alerts may not be raised immediately) since all events are stored in the individual security event logs until the Collector Agent operation is resumed. A well-orchestrated attack on a poorly configured system could conceivably gain administrator authority on the computer and clear the log before LANguard�s next scheduled collection. However Windows faithfully records a specific (and non-deletable) event whenever the log is cleared (even if auditing has been disabled) which is classified by S.E.L.M. as a critical event on all types of computers by default.��
It is important that the maximum size of log files and the collection intervals are set such that the possibility of log files filling (and therefore losing valuable entries) is minimised. Note that transmissions between Collector Agent and the hosts being monitored are performed using native Win32 API calls and are not encrypted in any way. LANguard S.E.L.M. is thus not suitable for running across a public network without secure third-party encryption in place (recent Windows operating systems include VPN capabilities, of course). GFI recommend that LANguard is not run across slow WAN links anyway, preferring instead that a separate LANguard S.E.L.M. Collector Agent be installed at each site. By deploying LANguard S.E.L.M. to monitor all workstations, member servers and domain controllers, it is relatively easy to obtain a comprehensive picture of network activity. In an enterprise-wide deployment, LANguard S.E.L.M.�s default rules numerous potentially suspicious activities including:
The intelligent processing of security log events is only part of the LANguard S.E.L.M. story. One of the biggest problems with Windows event logs is the lack of any useful means of reporting and detailed analysis. One major improvement with LANguard is the replacement of the Windows Event Viewer with the LANguard S.E.L.M. Event Viewer. Actually, it does not replace it, since the Windows Event Viewer is still available for use, though no one is likely to use it once the S.E.L.M. Event Viewer is installed (although S.E.L.M. can write events back to the individual local event logs should this be required).
Although it looks very similar to the Windows Event Viewer, the S.E.L.M. Event Viewer offers numerous improvements. The first is that it presents all of the fields comprising each event in column format, thus allowing searching, filtering and sorting on the contents of event log entries. In addition, a hierarchical tree view of the event log entries is available providing views by severity level: Critical, High, Medium, Low, Unclassified and all levels. New nodes can easily be added to this hierarchical view to provide filtered views of the event log, filtering on any of the event data fields such as date, time, type, user, computer, security level, and so on. The biggest difference offered by the S.E.L.M. Event Viewer, however, is the amount of additional information provided about each event. In addition to the usual date, time, computer details and purely numeric event ID, we are now offered a full description of the event (corresponding to the event ID), possible causes, and recommendations. This instantly makes the event log a much more useful tool. Complex queries can also be applied to virtually all the information which is carried within an event record, thus increasing the forensic analysis capabilities of the administrator.
For a more detailed analysis of events, the LANguard S.E.L.M. Reporter provides a large number of pre-defined reports, including: User-based reports � failed, successful or first logon events, ranking users with the highest number of generated events on top. Machine-based reports � displaying events generated on particular machines per user, such as user logons, account lockouts, object access and account activity. The Reporter window is divided into two panes � the left pane displays the report types, such as user reports in percentages, first/last day user event reports, computer event reports, and computer event reports in percentages. Report types are similar to templates on which individual reports are based. For example, all reports generated under the type User Reports In Percentages will have a similar layout. However any number of reports can be created under the same report type, each with different settings such as different periods, different events, and so on. Individual reports are listed under the report type branches in a hierarchical tree format, but initially these will be empty. The right pane will display the contents or properties of the item selected in the left pane. As reports are run, the report output is also displayed in the right-hand pane, and the properties (report contents, reporting period, and so on) are saved for future use, allowing the same report to be easily run over and over again. The report output is clear and easy to read, and bear in mind that since the S.E.L.M. data is stored in a SQL database it is also possible to use third-party reporting tools to create completely custom reports if required.
Although LANguard S.E.L.M. itself is incredibly easy to install and configure, the initial configuration of the network to support the required auditing policy may be more problematical for the novice administrator, particularly where the advantages of Active Directory Group Policies can not be realised. It is also vitally important to ensure that the S.E.L.M. installation itself is secure and that log file sizes and collection intervals are optimised to prevent excessive network traffic and the possibility of lost data due to log files filling to capacity. However, once these issues have been dealt with, the daily operation of LANguard S.E.L.M. is virtually idiot proof. Any number of individual event logs can be retrieved from around the network using a customised collection schedule, and the events within those logs examined and compared against a set of rules. This allows LANguard S.E.L.M. to apply an intelligence to event log processing that has been missing until now. In addition to intelligent classification of security events and real-time alerting, however, S.E.L.M. also provides automated archival and analysis tools, with far more detail being provided to the administrator via the LANguard S.E.L.M. Event Viewer and Reporter than has ever been available via the standard Windows tools. For the first time, the Windows administrator can perform detailed analysis of Windows security event logs, as well as gaining an instant appreciation of the severity of events thanks to much more detailed and understandable event descriptions coupled with real-time alerts. Company: GFI
Software Ltd. Address: UK office:
GFI Software Ltd. US office:
GFI USA
Click here
to return to the LANguard S.E.L.M Questionnaire�
|
 |
Send mail to webmaster
with questions or�
|
