DANA RACINE KNOWS FIRSTHAND the difficulty of overseeing a gargantuan computer network. The senior network engineer at the Office of Consumer Affairs and Business Regulation with the Commonwealth of Massachusetts, Racine administers a network of about 1,200 different devices spread across 10 sites. These devices include about 55 servers, more than two dozen routers, some 30 switches, and more than a thousand PCs. Protecting this network are a multitude of other devices, including Cisco routers and PIX firewalls, Checkpoint firewalls, and antivirus solutions. Some of the remote PCs that connect to the network through a virtual private network, or VPN, have personal firewalls installed. All of these devices are logging data that could be critical in detecting intrusions. But making sense of that mass of data, and looking for significant patterns that could indicate security problems, presents a daunting challenge for any large company.
Border control. Protecting a computer network is the corporate version of homeland security Potential visitors in the form of data packets line up at the border--most are innocuous, but some harbor malicious intent. Firewalls and routers act as immigration inspectors, checking the credentials of these visitors and turning away those who are unauthorized. But faced with limited resources, these inspectors cannot identify every visitor with malicious intent; spending too much time on each inspection means the line at the border crossing will grow intolerably long.
So when visitors who want to do harm manage to make it across the border, it's up to intelligence agents to carefully collect all available information from across the network and send it to a central location, where it can be correlated and analyzed to help locate and neutralize these malicious visitors before they carry out their destructive acts. However, just as this poses challenges in the physical world of espionage and terrorism, it raises problems in the virtual world.
The data challenge. Intrusion detection sensors and gateway firewalls are the primary intelligence agents collecting information about network security, but not the only ones. As seen in the previous example, many organizations also install personal firewalls on individual computers to protect workstations. These software protectors compile information about the data traffic in and out of each workstation. Antivirus products and vulnerability assessment products, as well as hardware such as routers and switches, also collect data that can be useful in finding and stopping network attacks.
The variety of products sending data for analysis creates numerous challenges for network security administrators. For example, each device has its own administrative tools, and each sends data using different transport mechanisms or protocols. Also, these devices generate a tremendous amount of data. It is, therefore, no longer feasible for a manager to manually go through the logs generated by these devices to interpret and analyze the data. What's more, this data is not simple to understand; for example, each entry from a firewall log includes a wealth of data including the source and destination IP (Internet protocol) addresses, as well as the port that the information came in through. Even if an administrator had time to go through each one of these log entries, finding a suspicious pattern or event would be almost impossible.
SIM solutions. Security information management (SIM) systems offer companies one possible way to deal with a deluge of data. These products are available from a range of vendors (including the author's company). They run on different operating systems, offer various types of analyses, and work with different network types.
The downside is that these products can be expensive; depending on the size of the network, some can cost from $500,000 to more than $1 million. …