SLA and LAC: New Solutions for Security Monitoring
in the Enterprise
Bruno Giacometti
IFINET s.r.l., Via XX Settembre 12, 37129 Verona, Italy
b.giacometti@ifinet.it
Abstract. SLA and LAC are the solutions developed by IFInet to better analyze firewalls logs
and monitor network accesses respectively. SLA collects the logs generated by several firewalls
and consolidates them; by means of SLA all the logs are analyzed, catalogued and related based
on rules and algorithms defined by IFInet. LAC allows IFInet to identify and isolate devices
that access to a LAN in an unauthorized manner, its operation is totally non-intrusive and its
installation does not require any change neither to the structure of the network nor to single
hosts that compose it.
1 Overview
As of today most organizations use firewalls and monitor their networks. The ability
to screening firewall logs to determine suspicious traffic is the key to an efficient
utilization of firewall and IDS/IPS systems. Anyway this is a difficult task, particularly if there is the need to analyze a great amount of log. SLA is IFInet approach to
solve this problem. In the same way it’s fundamental to monitor internal networks,
but monitoring alone is not sufficient: it’s necessary a proactive control on internal
networks to prevent unauthorized accesses.
2 SLA: Security Log Analyzer
In order to make more effective monitoring firewalls activities log, IFInet has created a
proprietary application, called Security Log Analyzer (SLA), which collects the logs
generated by firewalls and consolidates them into a SQL database. With this application
all the logs are analysed, catalogued and related based on rules and algorithms defined
by IFInet to identify the greatest possible number of types of traffic. SLA points out to
technicians any anomaly or suspicious activity detected and automatically recognizes
and catalos most traffic (about 90%) detected by the firewall, allowing the technical
staff of IFInet to focus on analysis and correlation of the remaining logs.
Through the use of SLA, control of perimeter security system is done by analyzing
data relating to traffic, used ports and services and also through a great variety of
charts that allow IFInet technicians to monitor security events through the analysis of
traffic in a given timeframe, the comparison with the volume of traffic on a significant
period of reference (egg the previous month) and detection of possible anomalies. The
chart in Fig. 1, for example, highlights the outgoing traffic, divided by service.
E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 309–315, 2009.
© Springer-Verlag Berlin Heidelberg 2009
springerlink.com
310
B. Giacometti
Fig. 1. The outgoing traffic, divided by service
SLA shall record in a Black List all IP addresses that are running illegal or potentially intrusive activities, on the basis of the rules implemented by the IFInet technicians: from the moment an IP address is added to the Black List, any successive
activity is detected in real time by IFInet technicians that analyze the event and take
immediate actions.
With the use of SLA, IFInet technicians can do extremely detailed queries on the
database logs and have the ability to view in real-time only logs relating to events that
have a critical relevance and represent, therefore, a danger to the integrity of Customer networks and systems.
In Fig. 2 is listed how for a customer SLA highlights many IP scans to its network
and, in particular, indicates that part of this potentially intrusive activity passed
through the firewall, taking advantage of traffic permitted by security policies. I.e.
thanks to the highlighted event the technical staff is able to instantly detect if a particular external address, which previously made a host scan system (and incorporated
in the Blacklist by SLA), has managed to cross the perimeter security system through
a port and achieve a system (e.g. Web server) within the network of Customer.
Selecting the event of interest, (line highlighted in red rectangle), the technician
can see the detail of abnormal activity.
SLA reports the number of Host Scan attempts to the public IP addresses assigned
to a particular customer: as a further example we can see a Host Scan made towards a
range of 18 addresses.
The technician, selecting the relevant line, can analyze the details of this anomalous activity and, for example, define that Host Scan is caused by the Sesser worm,
present on the 151.8.35.67.
By means of SLA all intrusive events or events that otherwise may pose a danger
to the integrity of the customer's network are promptly notified by email (or
telephone).
SLA and LAC: New Solutions for Security Monitoring in the Enterprise
311
Fig. 2. Example of SLA report
This service provides a constant and effective control of all events recorded by the
firewall and allows for a timely intervention in case of critical events.
3 LAC: LAN Access Control
LAC - LAN Access Control - is the solution that allows IFInet to identify and isolate
devices (PC and other network equipment) that access to a LAN in an unauthorized
manner.
Unlike many systems currently on the market, the operation of LAC is totally nonintrusive and its installation does not require any amendment neither to the structure
of the network nor to single hosts that compose it. LAC therefore prevents unauthorized devices to access the corporate network. Access is allowed only after certification by an authorized user (egg network administrator).
LAC can operate in two modes: active and passive. In passive mode (the default)
all the hosts on the network segment in which LAC is connected are detected. In active mode the hosts that are unauthorised are virtually isolated from the corporate
network. LAC therefore enforces the following rules:
• The organization host and equipment are allowed to use the network without any
kind of limitation;
• Guests are allowed to access the network after authorization but only for a limited
amount of time and using certain services (e.g. Internet navigation and e-mail);
• All other hosts should not be able to connect because they are not authorized.
Finally LAC has the following key aspects:
312
B. Giacometti
• Safety: identifies and isolates devices (PC and other network equipment) that access to a LAN in an unauthorized manner
• Ease of management: LAC act entirely non-intrusive and does not require any
changes nor the structure of the network or to individual host that make up the
network itself
• Guests users management: total control on how and what guests are allowed to do
• Important features: census of the nodes of one or more networks LAN / WLAN or
wireless, isolation of unauthorised host, control of professional services, reporting
tools and alerting
Main features of LAC are:
1. Census of the LAN nodes. When LAC runs in passive mode, it records al hosts
detected on the network in a database. In particular, keeps track of hosts IP addresses and MAC. In order to detect all the host it is necessary that LAC keeps on
running for a variable amount of time, depending on how often hosts access the
network. An example of this detection is shown in Fig. 3.
2. Isolation host unauthorized. Used in active mode, LAC performs a virtual isolation
of all not authorized hosts: once isolated, a host can no longer send / receive data to
any other host except LAC.
3. Host detection. One interesting piece of information about a detected host is its
physical location within the organization. LAC detects the switch port to which the
unauthorized host is physically connected. This feature works only if in the network switches that support the SNMP are in use. In fact, all the network switches
(included in LAC configuration) are interrogated using special SNMP query.
4. Managing guest users. Usually an organization is often visited by external staffs
that require a network connection to their notebook and to use certain services (i.e.
Internet navigation and e-mail). In the case of network access without any authorization, LAC detects the new host and considers it unauthorized from the network.
The guest, however, if in possession of appropriate credentials (e.g. Supplied by
staff at the reception) can authenticate to unlock the pc and use the services enabled. When proceeding with a new host registration, you can ask LAC to generate
a new user (or to edit an existing one), to generate access credentials (username
and password) and set the time of their validity. Using this information the staff,
through a specific web interface, can enable or unlock the desired location. Guests
only connect their pc to the network, browse to the LAC web page and insert the
provided credentials. As optional feature, the system administrator can choose
from a list the protocols that the host can use once authenticated. This makes it
possible to limit the resources available to the network and thus have effective control over allowed activities.
5. Reports. LAC provides a series of reports that allow the administrator to analyze,
also with graphs, network access data, based on several criteria: i.e. MAC address,
IP address, usernames, denied accesses, enabled accesses, average duration of accesses, etc.
6. Alerting. LAC records in a database all the collected events and it is able to send
all the information (necessary to control access to the network) to the network administrator via email, SMS or administrative GUI, as it is shown in Fig. 4.
SLA and LAC: New Solutions for Security Monitoring in the Enterprise
313
Fig. 3. Census of the LAN nodes
3.1 Sure to Be Safe?
The organisations with an information system, whether public or private, have certainly network infrastructure that enables the exchange of information and teamwork.
The corporate network is realized in most cases according to the Ethernet standard,
which combines speed and reliability with very limited cost. It’s very easy, in fact, to
attach a device to an Ethernet network. For the same reasons, however, this network is
exposed to a kind of "violation" very common, definable "physical intrusion" and this
can be through a spare RJ45 plug, a network cable from a detached device, a switch
or hub port, etc.
If an attacker hooks his laptop to an access point in an Ethernet network, the PC
becomes part of the network and can therefore access to resources and even to compromise the data security and corporate information. It becomes therefore extremely
important to recognise immediately the moment when an unauthorized host access to
the network, preventing use the resources of the network itself. At the same time it is
important to ensure the normal operation of the network to all allowed hosts: i.e. a
commercial agent or an external consultant ("guest" user), who have the need to connect your notebook to the network to use its resources.
3.2 LAC Architecture
LAC takes care of, therefore, ensuring compliance with the rules of network access
and protecting the integrity and safety of corporate data.
LAC is a software solution that consists of a set of applications running on a
Linux-based system, composed of the following elements: Web administration interface, Core program (LAC), Database for users management, Database for information
314
B. Giacometti
Fig. 4. Alerting
recovery, appliance equipped with 3 / 6 interfaces to manage up to 3 / 6 LAN / VLAN
(optional).
3.3 LAC Operational Modes
LAC can operate in two modes: active and passive. In passive mode (the default) are
all the hosts on the network segment to which LAC is connected are detected. In active mode, however, the unauthorised hosts are virtually isolated from the network.
Each node on the network can be in one of the following status: unauthorized, authorized, approved by authentication, address mismatch. In the unauthorized status, a
host is virtually isolated from the network. This prevents the host from transmitting
and receiving data. In the authorized status a host suffers no treatment by LAC and its
operation is normal.
A user, who uses an unauthorized host, may authenticate to LAC; if successful, it
revokes the status of non-authorisation and provides a status of authorization for a
limited amount of time. This status is called "authorized with authentication". When
the authorization time expires, the host reverts to the unauthorized access status.
LAC is able to detect changes in the IP address of a host and addresses the potential anomaly assigning the address mismatch status to that host.
The management of status and time validity of users is entrusted with LAC, which
is responsible for allocating status to host and change the status of a host at any times.
The credentials to authenticate a user (in case the administrator should unlock a
client enabling its access to the network) are generated from the LAC on behalf of the
Administrator.
SLA and LAC: New Solutions for Security Monitoring in the Enterprise
315
3.4 LAC Requirements
Below are listed briefly the requirements for the operation of LAC:
• Ethernet Network
• Protocol network IP version 4
• A network access for the LAC on segment network (LAN or VLAN) to monitor/control
4 Conclusion
We have analyzed how a network can be proactively protected and the results have
been used to implement SLA and LAC. With SLA and LAC it is possible to identify
and block suspicious and potentially dangerous network traffic.
Future development of SLA will focus on two major area: real time analysis of
monitored device in order to identify suspicious traffic as soon as it enters the perimeter and correlation of firewalls log with logs originated from other security devices,
i.e. antivirus. Also LAC will correlate information from Ethernet network with information from other devices, i.e. 802.1x switches or network scanner in order to enforce
a finer grained control on the network.
References
1. Abad, C., Taylor, J., Sengul, C., Yurcik, W., Zhou, Y., Rowe, K.: Log correlation for intrusion detection: a proof of concept. In: Proc. 19th Annual Computer Security Applications
Conference, pp. 255–264. IEEE Press, New York (2003)
2. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework.
In: Proc. 2002 IEEE Symposium on Security and Privacy, pp. 202–215. IEEE Press, New
York (2002)
3. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Proc.
4th Int. Symp. Recent Advances in Intrusion Detection, RAID 2001, pp. 85–103. Springer,
Berlin (2001)
4. Corchado, E., Herrero, A., Sáiz, J.M.: Detecting compounded anomalous SNMP situations
using cooperative unsupervised pattern recognition. In: Duch, W., Kacprzyk, J., Oja, E.,
Zadrożny, S. (eds.) ICANN 2005. LNCS, vol. 3697, pp. 905–910. Springer, Heidelberg
(2005)
5. Herrero, A., Corchado, E., Gastaldo, P., Zunino, R.: A comparison of neural projection
techniques applied to Intrusion Detection Systems. In: Sandoval, F., Gonzalez Prieto, A.,
Cabestany, J., Graña, M. (eds.) IWANN 2007. LNCS, vol. 4507, pp. 1138–1146. Springer,
Heidelberg (2007)
6. Ridella, S., Rovetta, S., Zunino, R.: Circular back-propagation networks for classification.
IEEE Trans. on Neural Networks 8, 84–97 (1997)