The goal of security management is to control access to network resources
according to local guidelines. This prevents the network from being sabotaged
and prohibits users without appropriate authorization from accessing sensitive
information. A security management subsystem, for example, can monitor users
logging onto a network resource and can refuse access to those who enter
inappropriate access codes.
Security management subsystems work by
partitioning network resources into authorized and unauthorized areas. For some
users, access to any network resource is inappropriate, mostly because such
users are usually company outsiders. For internal network users working inside
the company, access to information originating from a particular department is
inappropriate.
Security management subsystems perform several functions.
They identify sensitive network resources, including systems, files, and other
entities, and determine mappings between sensitive network resources and user
sets. They also monitor access points to sensitive network resources and log
inappropriate access.
A typical scenario includes a management station
which monitors and manages devices such as routers, firewalls, VPN devices, and
IDS sensors. CiscoWorks VPN/Security Management Solution (VMS) software is an
example
–
.
CiscoWorks VMS consists of a set of Web-based applications for configuring,
monitoring, and troubleshooting enterprise VPNs, firewalls, NIDS, and HIDS.
CiscoWorks VMS is a scalable solution that addresses the needs of small and
large-scale VPN and security deployments.
The following are the VMS
features and uses:
- Security Monitor

- One central management station for configuring, monitoring, and
troubleshooting the following:
- VPN Routers

- Firewall

- Network IDS (NIDS)
- Host Intrusion Prevention (HIPS)
In addition to VMS, Cisco provides free GUI device managers to
configure and monitor single firewalls, IDS sensors, or routers.
–
.
Audit
Security auditing is necessary to verify and monitor the
corporate security policy. A security audit verifies the correct implementation
of the security policy in the corporate network infrastructure. Subsequent
logging and monitoring of events can help detect any unusual behavior and
possible intrusions.
The hard part is determining what behavior is
unusual. It is important to establish a baseline of normal behavior. When
normal activity patterns are easily recognized, unusual activity is more
readily identified.
To test the effectiveness of the security
infrastructure, security auditing should occur frequently and at regular
intervals. Auditing should include new system installation checks, methods to
discover possible malicious insider activity, possible presence of a specific
class of problems, such as DoS attacks, and overall compliance with the site
security policy.
An audit log, generated by the various operating systems
running in the infrastructure, can be used to determine the extent of the
damage from a successful attack. Audit trails are most often put to use after
the attack, during damage assessment to reconstruct what happened during the
assault.
It is important to avoid logging every event. The amount of data
to sift through would become insurmountable. If too much data is logged, and an
intrusion does occur, that intrusion will definitely also be logged, along with
hundreds of other insignificant events. The intrusion will most likely remain
undetected because it was hidden under a mountain of data being generated by
the system.
If the network or system is designed and implemented well,
consider logging the types of activities that would most likely indicate a
first-stage attack. Only the unusual events need to be logged. This information
can give network administrators a warning that something is amiss, and that
warning will not be buried in too much inconsequential detail.
Understanding how a system normally functions, knowing what behavior is
expected and unexpected, and being familiar with how devices are usually used
can help the organization detect security problems. Noticing unusual events can
help catch intruders before they damage the system. Security auditing tools can
help companies detect, log, and track those unusual events.