This article can also be found in the Premium Editorial Download "Information Security magazine: Trustworthy yet? An inside look at what's changed after a year of Microsoft Trustworthy Computing."
Download it now to read this article plus other related content.
As a Windows-centric security information management (SIM) solution, NetIQ's Security Manager works well in homogenous Windows networks, offering enterprises an efficient means of monitoring security and network devices, correlating and analyzing event data, and updating policies and configurations.
Where Security Manager falls short is in its lack of support for non-Windows applications and devices. NetIQ added agents for a short list of "leading" security and networking devices, leaving many non-Windows platforms unsupported. With some finesse, admins can port logs to Security Manager for analysis, but that involves a cumbersome process and detracts from the SIM's ability to do real-time security management.
In the right environment, though, Security Manager does a good job of fulfilling its role. More than just an event correlation engine, the centralized console is a performance monitor, a policy compliance checker and an information archive.
For version 4.1, NetIQ added an enhanced incident-management console, better installation tools and documentation, and improved agent deployment wizards. This makes Security Manager easily deployable and manageable by even novice admins.
Behind Security Manager's centralized management console lays five basic components: Log Manager, Host Intrusion Detection, Firewall Monitor, IDS Monitor and Antivirus Monitor. These components work in similar ways, correlating events and distilling raw data into understandable, usable information.
Each component is capable of doing trending analysis and forensics reviews, which give organizations a better understanding of the threats posed to their networks. More importantly, they can generate real-time alerts, either for individual incidents (as defined by policy) or aggregated trends (based on multiple indicators from different devices).
NetIQ says it can collect logs from nearly any device, but testing revealed that Log Analyzer is pretty much limited to Windows-oriented devices. The only IDS it supports out of the box is Internet Security Systems' RealSecure. Likewise for firewalls: only Check Point's FireWall-1 and Cisco's PIX are supported natively. And while it covers Network Associates, Symantec and Trend Micro antivirus solutions, the absence of other major AV players (especially in enterprise environments) is noticeable.
Deployment Is a Whiz
For my test bed, I used a Windows 2000 server running on a standard box with a 700 MHz AMD Athlon processor and 256 MB RAM. The minimum recommendation is much lower, but a dual 450 MHz Pentium or Athlon setup is recommended for organizations that record more than a million events daily. Events can chew up disk space, so at least 5 GB is needed; preferably a RAID array with multiple spindles.
After walking you through a brief Web-based overview and installation guide, the Verify Prerequisites wizard checks the system to see if it meets the minimum operating requirements. The wizard showed me that I needed to reconfigure some system settings and add supporting applications. I had to resize the MSDTC log file and install SQL Server.
The Deployment wizard makes the installation of agents quick and simple. Admins only have to input the targets' domain and name. A minor annoyance with the wizard is that it doesn't save a previously used domain name. To its benefit, though, the wizard is excellent at explaining each step of deployment. Communications between Security Manager and its agents are encrypted using 56-bit DES (a new key pair is generated every session or every five minutes, which makes up for the use of a weaker key).
Agents can also be installed manually by locally logging into a box. Manual installation may be required for devices outside the firewall or for firewalls running in stealth mode.
Multiple Monitoring Methods
The Monitor Console is primarily used for monitoring activity, editing rules and changing configurations. Based on the Microsoft Management Console (MMC) interface, it employs a left-hand pane with a tree view and a right-hand pane with detailed information. The MMC isn't my favorite interface, since it's not able to show multiple windows simultaneously.
Complementing the Monitor Console is Web Console, which is a customizable Web-based interface that provides admins with event and alert information. The difference between the two interfaces is that Web Console only provides information about specific devices, and doesn't allow you to push policies or update configurations.
Within the Monitor Console, current and saved views can be used to parse a sea of data into bite-sized pieces. With more than 200 prewritten views, it's fairly easy to get from "Let's look at all RealSecure alerts from these servers" to a granular report. Alerts contain plenty of information, including the alert time, the source machine's ID, an alert's status (if it's new or if it has been resolved) and a description. Security Manager comes with a knowledge base that provides summary information, helping admins understand an alert and how to resolve it. You can add information gathered through extended use of Security Manager to your knowledge base.
Basic But Limited Reporting
Security Manager uses a backend SQL Server with a Microsoft Access frontend. Getting reports proved to be almost a no-brainer with the 70 or so prebuilt queries.
Security Manager includes reports for auditing systems configuration and management, the status of remote machines, and user and access rights. The application also reports on its own status, making it easier to diagnose usage stress from workload to configuration changes.
Security Manager's reporting is basic. Despite NetIQ's purchase of WebTrends and its Web reporting software, its reports are visually boring and lack high-end tools for slicing and dicing data.
NetIQ says it's working on integrating support for Online Analytical Transaction Processing (OLAP) cubes on SQL Server. While not critical to most users, OLAP may be necessary for larger enterprises that need to quickly sort through data. Moreover, there's no support for Unix-based databases, such as Oracle.
The reliance solely on SQL Server contributes to ease of deployment and use, but is indicative of the Windows-centric focus inherent in Security Manager.
Needs More Support
NetIQ makes it easy for Windows shops to deploy Security Manager. Its centralized change control function allows admins to specify a change in one place and have the changes propagated to each machine in a group. This reduces the need to touch each device and limits the likelihood of introducing configuration discrepancies.
Support for PIX and Solaris increases Security Manager's range beyond homogeneous Windows environments, but doesn't go far enough. Conspicuously absent is support for many popular devices, such as Red Hat or other Linux servers.
Lacking support for non-Windows apps, users may be forced to collect logs in two places and then port and integrate them into Security Manager for correlation. Users of the Enterasys Networks' Dragon IDS or NetScreen firewalls, for instance, will find the lack of native agents disappointing.
Those with hardware that's not natively supported by Security Manager's agents can send alert information via SNMP, but there's no support for SNMPv3. NetIQ says its adding SNMPv3 support and creating a broader range of agents.
For Windows shops, Security Manager is a painless and relatively inexpensive way to add centralized event monitoring and correlation. Most features can be used out of the box, and the use of wizards and easy-to-understand documentation makes deployment a snap. For non-Windows environments, you may want to look elsewhere.
About the author:
Scott Sidel, CISSP, is a technical editor for Information Security and senior security engineer with Computer Sciences Corp.
This was first published in April 2011