|
GFI EventsManager performs intrusion detection and network security reporting by monitoring the security event logs of all Windows 2000/NT/XP/2003 servers and workstations in the organization. It alerts you in real time about possible intrusions and attacks.
To ensure proper integration with the overall Windows environment, GFI EventsManager uses standard Windows technology such as Microsoft Message Queuing (MSMQ), Microsoft Management Console (MMC), Microsoft Windows Installer, and Open Database Connectivity (ODBC).
Implementing network-wide monitoring with GFI EventsManager requires little effort because you don't need to install software on each computer you want to monitor. The administrator installs GFI EventsManager on only one host computer, and then simply registers all the other systems to be monitored. The product's Collector Agent then uses native Win32 APIs to collect security events from the monitored computers. The Collector Agent stores these events in a Microsoft Access database or on a Microsoft SQL Server. This ODBC architecture lets administrators use standard reporting tools, such as Crystal Decisions' Crystal Reports, to create custom reports.
Next, GFI EventsManager's Alerter Agent compares the collected events to a Categorization Rules table, and then classifies the events as low security, medium security, high security, or critical. The Alerter Agent sends SMTP notification of critical events to a administrator-configured email address (e.g., a pager) to inform administrators immediately of possible intrusion attempts. For each monitored computer, the administrator can specify event-collection frequency, identify normal operating times, and specify a computer security level of low, medium, or high. The security-level setting lets the Alerter Agent interpret as more severe any suspicious events on systems that host more sensitive information or processes, thus reducing the amount of false positives reported to the administrator.
Administrators can use GFI EventsManager's enhanced event viewer or the GFI EventsManager Reporter to perform regular analysis of all security events. To ensure a proper balance between resource consumption and timely alerts, administrators can specify a different collection frequency for each computer. The Archiver Agent periodically moves older activity from the active database to an archive for long-term storage. GFI EventsManager uses MSMQ technology to maintain high-performance communication between its internal agents.
Real time monitoring & categorization of security events
The heart of GFI EventsManager's intelligent alert capability is the Event Processing Rules node of the GFI EventsManager MMC Configuration snap-in.
GFI EventsManager management console
GFI EventsManager's default security categorization rules are designed to help the product recognize and notify the administrator of important events but avoid disturbing the administrator with false alarms. The rules let GFI EventsManager look for telltale indicators, such as events that occur at unusual hours or on high-security computers. Lower-priority events do not trigger an immediate alert but are always available for daily or weekly analysis by the administrator. GFI EventsManager categorizes each event as low security, medium security, high security, or critical. To do so, the product analyzes the event ID (e.g., the event IDs that correlate to failed logon, account lockout, file access) and the characteristics - including OS, domain role, security level, and normal operating hours - of the computer on which the event occurred, and then applies the categorization rules to this information. Administrators can tailor GFI EventsManager's processing rules according to their network's specific characteristics.
Categorization based on where event is collected from
GFI EventsManager deals with the arcane differences in the way Windows NT and Windows 2000/XP/2003 log events by adapting to the particular OS release it is running on. The product also recognizes the difference between workstations, member servers, and domain controllers, and interprets an event differently according to the computer's domain role.
Take network logons as an example of why the product must distinguish between OSs and domain roles. When someone connects to a computer from over the network (e.g., by accessing a shared folder), Windows NT logs event ID 528 with logon type 2, whereas Windows 2000 logs event ID 540. Because GFI EventsManager considers the OS, it can correctly identify the event ID, according to whether the event occurs on a Windows NT or Windows 2000/XP/2003 system. Network logons to domain controllers or servers are common and shouldn't be regarded as suspicious during normal working hours. However, users do not typically need to access resources on other users' workstations.
|
