Category: Firewall log-analysis tool
Name of tool: NetWatchman
Company name: Lawrence Baldwin myNetWatchman.com
Price: Free for the downloading
Platforms supported: Browser based, runs on various Windows and Unix platforms Strom-meter:
*** = Hey, not bad. One notch below very cool Key features:
Firewall incident aggregator and attack notification service Pros:
Simple and easy to use
Powerful and versatile Cons:
Not all firewalls are supported -- see below for details. Description:
If you run an enterprise network, you probably keep a very close eye on your firewall logs as just one of many security precautions. These logs usually tell you when your network has been compromised, and careful analysis can yield all sorts of information such as the type of attack, the location of the attacker (or at least a range of IP addresses which may or may not be valid) and other valuable information.
But what happens when your domain isn't a single office, but a bunch of distributed domains that are geographically diverse, such as a bunch of telecommuters who are using their own cable modems and low-end firewalls and access devices? You probably stay up nights worrying that if anyone tried to penetrate your network from these remote
Maybe you haven't thought about this, and you should. If your remote workers are connecting into your corporate network from home, they should be subject to better monitoring and analysis tools. Luckily, Lawrence Baldwin's myNetWatchman.com has come to your rescue.
This service, which combines some Windows- or Unix-based agent software along with various Web-based analysis tools, works in conjunction with various firewall access logs to send alerts to a central place. The service then sorts through what it receives and tries to make pattern matches on the various log events. The service will then send e-mail to you based on what it has found, warning you of a potential attack. Of course, you will need to keep powered up whatever computer you run the agents on, otherwise the whole service is useless.
Summary statistics are available on the company's Web site. This way, you can tell -- for example -- if a hacker is trying to scan across a wide swatch of the Internet and use some kind of attack tool to look into or even break into a bunch of networks. Not surprisingly, when I last examined the Web stats, the cable companies had the most frequent reports of potential attacks in progress. This should be a lesson for anyone who is connected via a cable modem to the Internet: Do so without any protection at your own peril, because they are potentially ripe areas for hackers to scan and try to penetrate your machines.
Setting up the product isn't that difficult. There are explicit instructions on the company's Web site and the only drawback is the support for only a few of the various firewall access log formats -- including BlackICE; Zone Alarm; cable/DSL routers from Netgear, Linksys, Dlink, Zyxel and SMC Barricade; and Microsoft's Internet Connection Sharing firewall. I like the fact that the product supports both software-only firewalls and the hardware devices as well, even though I am mostly partial to the hardware solutions myself.
MyNetWatchman is a great idea and another layer of protection and being proactive about your network security. Given that the only cost is your own time involved, it should be used by anyone running a remote network or small business network that can't afford the staff or skills to maintain a full-blown firewall analysis tool.Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value. About the author
David Strom is the senior technology editor for VAR Business magazine. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at email@example.com.
This was first published in April 2002