|
Relevant
Technologies, Inc. Product Review |
InsideOut Firewall Reporter Unravels the
Mysteries of Your Firewall Logs
By Troy
Executive Summary
The most important piece
of hardware that protects your network from intruders, hackers, and outside
traffic is your firewall. Firewalls process an enormous amount of data, that
when converted to useful information, can tell you many things about the
packets traveling in and out of your network. Recently we took a look at
InsideOut Firewall Reporter (IFR), created by Stonylake Solutions to find out
how it interprets data and information produced by a leading firewall. We conducted the lab tests using Windows 2000
and a Cisco PIX firewall.
Vendor
Background
Stonylake Solutions is a global provider of state-of-the-art firewall
reporting software with headquarters in Maryland, USA and offices in Toronto,
Canada. Established in 2000, Stonylake Solutions develops powerful software
that provides real time analysis and reporting for firewalls. Its customer base
includes federal and state organizations, educational and financial
institutions, and high tech companies.
The Problem with Firewalls
Each day there are more reports about network breaches and stories
of how hackers have infiltrated or brought down a network. As a result, network security is one of the
fastest growing sectors of the Information Technology market. As a network administrator, it is important
to have at your disposal, tools to help you proactively manage your
network. Information about network
problems can come from many sources. Operating systems, such as Windows
NT/2000, have some built-in tools that can provide you with helpful
information. There are third party
add-ons as well that can help diagnose network problems. The key to being successful is having tools
that allow you to notice trends and immediate threats. Trend analysis can spot potential problems in
advance and real time reporting can help you react quickly to an immediate threat. A firewall, like most other network devices,
produces extraordinary amounts or information.
So much, in fact, it would be impossible to review it all without
network tools. Most of the data that a
firewall processes is not of great importance, though. What you need is a way to separate the
typical data from the data that can tell you about vulnerabilities or
abnormalities in your network. InsideOut
Firewall Reporter is a network tool that can present information to you real
time in a variety of formats to help you interpret the data and react in an
appropriate manner.
Table 1. Company and Product
Information
|
Company Name |
Stonylake Solutions
Inc. |
|
Web Site |
|
|
Product Name |
InsideOut Firewall
Reporter |
|
Key Features |
Presents firewall data
in an easy to read format. Provides real time reporting. Ad-hoc reporting
capability. Enables security
administrators to track trends over time. Simple user interface. Powerful drill down and filter capabilities. Scheduled reports via email. Ability to store raw data logs. |
|
Supported Firewall Platforms |
Check Point Firewall-1 Cisco PIX NetScreen StoneGate Borderware |
|
Target Customers |
Information security
managers or administrators who need to translate data from their firewall(s)
into useable information quickly. |
|
Company Ownership |
Privately held. |
|
Company Address |
USA: Stonylake Solutions
Inc. Ellicott City, MD
21043 Canada: Stonylake Solutions
Inc. 12 St. Clair Ave. East P.O. Box 69102 Toronto, Ontario M4T
3A1 |
|
Contact Information |
Toll free:
866.757.0852 Tel: +1.416.929.0343 Fax: 416.929.7479 |
Product Functionality
InsideOut Firewall Reporter is a Java-based server application
that runs on Windows and Linux platforms.
You can view a live demo of IFR at http://livedemo.stonylakesolutions.com
by
clicking on Test Drive InsideOut from the Stonylake web site. This live demo allows you to navigate through
four different firewalls and generate reports.
It allows you to get used to the look and feel of the product before
installing it. You can download and
install a demo version InsideOut Firewall Reporter from http://www.stonylakesolutions.com. The demo version has full functionality, but
is only active for 30 days and only keeps the data for 48 hours. The complete download for Windows is over
100MB, which includes not only IFR but other programs that must be installed as
well. The IFR portion of the download is
only 3.5MB. Once you have downloaded the
product, you can extract the files using WinZip and proceed to install it. The program and all applications can be
installed on a single server. If you
purchase the Professional or Enterprise Editions, the program can be
distributed among three servers.
The system requirements for installing IFR on a single
application-database server configuration are a P-II 450 MHz processor, 128 MB
RAM and 5.0 GB free hard drive space running Windows 98/2000 or Linux Operating
Systems. For the Enterprise Edition, you
will need the following:
·
The Reporting server - Requires a P-II 450 MHz processor, 128 MB
RAM and 90 MB free hard drive space.
·
The Logging server - Requires a P-II 450 MHz processor, 128 MB RAM
and 75MB free hard drive space.
·
The Database server – Requires a P-II 450 MHz processor, 128 MB
RAM and 5.0 GB free hard drive space.
Before you install the program, you should print and read the IFR
help PDF file. The information contained in the PDF will cover all the prerequisites you
need to setup the software. There are a
some steps involved in setting up IFR that require you to do more than just
click the Next button or choose an installation folder. For instance, you are required to setup an
environment variable that allows certain batch files to find default
paths. You may have to modify your Internet
Explorer to make sure it is using Microsoft VM Java. The help PDF also informs you of the default
password that you will need to administer the program after installation.
The IFR application consists of four
different components: InsideOut
Reporting Engine (IRE), InsideOut Logging Engine (ILE), InsideOut Control
Center (ICC) and the InsideOut Database. The extracted download will consist of
three setup programs, of which the first to install is Java Developer Kit 1.4
(JDK1.4).
The second program to install is Tomcat 4.x,
which will load the Tomcat servlet engine.
Tomcat is the servlet container used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat has been developed in an open
environment and released under the Apache Software License. It is intended to
be a collaboration of the best-of-breed developers from around the world. The
third program to install is IFR itself.
If you attempt to install IFR first, the on-screen instructions will
instruct you that you need to have already installed Java and Tomcat. During the installation of IFR, you must
supply the installation path of the Tomcat program. Once the core programs are installed, you have
to restart Tomcat, open the ICC using the URL http://server-ip:8080/insideout/admin.html
and configure
InsideOut.
There are many configuration variables that you must supply during
the configuration, such as the type of firewall, IP configuration information,
database type, etc. Supplying correct
information during the initial configuration can save you time later from
having to reinstall or reconfigure.
After launching the configuration URL, http://server-ip:8080/insideout/admin.html,
you will have to choose the correct edition.
The three editions to choose from are Standard, Professional and
Enterprise. For the purpose of this
article, the Professional edition was evaluated. If you choose the wrong edition and need to
change it, you will have to reinstall the entire program. You must also configure the database,
licensing information, and define the ILE.
The firewall brands that IFR supports are Check Point Firewall-1, Cisco
PIX, NetScreen, StoneGate and Borderware.
More detailed instructions regarding configuration can be found in the
IFR help PDF.
How IFR Works
Your firewall must be configured to send its logs (via syslog) to
IFR, where the data is processed and displayed in real time. The log files are consolidated and stored in
a database to allow for report queries. To give you an idea of the enormity of
quantity of logs, one user of the enterprise class customers logs 4-5 million
records in a day from a Nokia IP 540.
Another customer has reported logging 12 million records from a PIX
520. All numbers are consolidated database records. In case of the
PIX, it produces 3 raw messages for every successful connection and 2 for
blocked. To configure a Cisco PIX, you must have
rights to access privileged mode. An
example of the commands necessary to configure a PIX is listed below.
CiscoPIX(config)#logging host inside 10.2.12.17
CiscoPIX(config)#logging trap 6
CiscoPIX(config)#logging on
As the Cisco
PIX receives traffic, it forwards it to IFR, which organizes it into useful
information. InsideOut Firewall Reporter
can optionally resolve IP addresses that are found in the log messages to host
names by querying the DNS, WINS or the Host machine. This helps to overcome the
problem of identifying hosts that are assigned DHCP addresses. A Maintenance procedure runs once every 24
hours, which prunes, re-indexes, and compacts the database tables. Error conditions encountered during the
maintenance procedure are reported to the Administrator by email.
The Cool Reports
The best feature that IFR has is its reporting capability. InsideOut's browser-based interface provides
more than 150 standard reports in 13 major categories. Once you have completed the initial configuration,
your server starts receiving information immediately from the firewall that can
be turned into useful reports.
InsideOut's automated reports be generated on schedule as a server task
and then delivered by e-mail. The report
screen is made up of a tabbed report area and a Report Settings panel that is
used to set report selection criteria.
As can be seen in Figure 1, IFR organizes data into an easy to
read graph.
Traffic Allowed
Through the Firewall
Under the Report Settings heading, you can see the filters that
have been applied to the report. The
screen shows that the data is coming from a PIX firewall, from all users, from
all subnets and for all Services. Each
of these report features is customizable on the fly without having to perform
configuration changes. The middle of the
screen is the where the data is graphically represented. The tabs at the top allow you to view data in
many different formats. On the right of
the screen, you can decide whether to receive a report summary, view allowed
traffic or view blocked traffic details.
A sample of summary activity can be seen in Figure 2.
Activity Summary
With a simple click of a mouse you can view allowed traffic by
Users, Destinations, Connections, Bandwidth, Overall and Subnets. To view blocked traffic, you simply click on
the blocked tab to the right of the screen.
Traffic Blocked by the
Firewall
Once again, you can view blocked traffic by Sources, Destinations,
Attempts, Overall and Subnets with a click of the mouse. A sample of the Overall report can be seen in
Figure 4.
Overall Traffic
Allowed
The browser interface gives you the convenience of accessing
reports from anywhere, at any time, with just a single server
installation. The best thing about the
reports and the thing that helps set IFR apart from many competitors is that
the data is in real time. You have the
option of view historical information by clicking on the arrow to each side of
the date in the middle window. There are
no restrictions to the number of users who can simultaneously view the reports,
which can be printed and exported to applications such as Microsoft Excel.
Product Strengths
There are many different products on the market that can also
interpret firewall data. From the
Internet, you can find many Syslog servers.
Some of these are expensive, complex and offer many features, such as
Cisco Works. Others simply provide raw
data, which you have to assemble into information.
Cisco Works
Figure 6 shows an example of a syslog server that captures raw data,
which, in turn, you must decipher. It
can be downloaded for free at http://www.ncat.co.uk/Download/. The obvious problem here is that you have to
sort through hundreds or thousands of lines of traffic. Even if you have a program to parse the data,
you still will not have it in an easy to read graphical format.
Syslog Server
You can even use a default feature in a Cisco PIX to capture
information. From configuration mode,
type:
CiscoPIX(config)#logging monitor information
CiscoPIX(config)#terminal monitor
The output from this statement is shown below. It is not represented graphically and forces
you to weed through the data to find useful information.
Click for Figure 7
A Sample of Logging
that Can be Performed with a PIX Firewall
The strength of IFR is that it uses a browser to graphically
represent real time or historical information.
At a glance you can identify problems with your network. The ability to retrieve real time information
quickly and easily using the reports feature is probably the biggest advantage
of this product. Once it is setup, it
requires little effort to extract valuable information.
Product Challenges
The installation process for IFR can be somewhat of a
challenge. Getting all of the programs
installed, configuring variables, firewalls and the software itself takes a
little time. It would be nice if the
program could check to see if the correct version of Java and Tomcat were
already installed, and if not, install them automatically. Some time could also be taken off of the configuration
process if the environment variables were automatically set. Although IFR supports most common databases
such as SQL Server 2000, Postgre SQL 7.2.1 and MSDE 2000, one obvious omission
is support for Oracle.
BOTTOM LINE
Vendor Recommendations
Currently IFR
supports a limited number of firewall vendors.
We are eager to see support for more products which we are told will be
coming in future editions. Other changes
that are coming are the ability to see who changed a firewall policy, when the
rule was changed and which rules get used most often. These are features that will help broaden the
appeal of this product. In its current
release, IFR is a strong product that helps validate your firewall and perform
audits of your system.
User Recommendations
As an
administrator, you should be keenly aware of the risks your network faces from
inside and outside threats. You can only
do your job as good as the tools you have at your disposal. If you want to quickly and easily see the
types of data that come into your firewall, IFR is a great product for the
price. This product is meant for small
to large businesses and not for the average home user with DSL. The size of your business will determine the
product you need to purchase. Small
companies with less than 50 employees and a single firewall should consider the
Standard version. This version is
designed to run on Windows only. You are
restricted to using the MSDE database that comes with the product and can only
store 2GB of data, but at a price of only $250, it is a bargain.
The
Professional version of IFR is intended for small to medium sized businesses
that have a single firewall. You can
distribute the installation over three servers with each server handling a
different component. This version
supports additional database formats including MSDE, MS SQL Server and
PostgreSQL databases. It can be loaded
on Windows or Linux operating systems.
It has scheduled reports and pre-configured reports as opposed to only
having reports in a browser. The
Professional version comes in at a price of $995, but is still a good deal
considering all the features it has.
The Enterprise
version includes all of the features of the Professional version as well as
support for multiple firewalls. It has a
scalable architecture that allows you to start out with a small system and then
add other machines as needed. It is
intended for large businesses that need to be able to manage multiple firewalls
from a central location. It also
includes preconfigured and scheduled reports, and built-in maintenance
processes to ensure optimum system performance.
Using the Enterprise Edition, you can move from an Enterprise-wide view
down to a specific firewall and even down to a view of a specific user with a
few simple mouse clicks. It is possible
for an administrator in New York to quickly monitor a situation developing in
Houston, Hong Kong or Paris. The
Enterprise Edition supports MS SQL Server, and PostgreSQL databases, and can
run in mixed Windows and Linux environments.
The Enterprise edition of IFR costs $1295 per firewall.
Clearly, using
IFR helps you more easily understand the information your firewall is
producing. By understanding firewall logs better, firewall administrators are
better equipped to make decisions and protect the infrastructure for which they
are responsible.
END
© 2003 Relevant Technologies, Inc. All
rights reserved.