New Jersey’s Office of Information Technology (OIT) manages a Wide Area Network that links more than 40 agencies and 15 departments, including law enforcement and public utilities. The network has about 3,000 devices, including Cisco Systems routers and switches, and connects more than 60,000 users to around 1,500 sites.
“We have about 11 people to manage all that,” explains network engineer Jim Hammond.
Security, naturally, is part of that 24-7 operation – and one that had become increasingly arduous for the small staff. The OIT system is equipped with Cisco PIX firewalls and Cisco network-based intrusion-detection systems, all releasing a ton of data.
“The firewalls were generating large amounts of alerts. We were using sys log servers to manage all that logging and a couple of utilities to get a handle on what was going on in the network, but we really had nothing to analyze what was happening,” says Hammond.
A Cisco logging tool OIT used with the IDS modules was not providing much visual insight into network activity, adds Hammond. Moreover, the IDSs were creating lots of false positives. “We needed some way to manage all of this,” he recalls.
OIT considered a tool would collect security events, which was available from a vendor through its contract with Cisco. But the tool had limited capabilities and OIT was worried about potential support issues. Hammond decided to try out a new product from Protego Networks, which was recently purchased by Cisco Systems.
Protego’s PN-MARS appliance collects network and security data from OIT’s switches, IOS routers, IDS sensors, firewalls, and Windows and Solaris servers. It analyzes this data using the company’s ContextCorrelation logic, which groups security events and network behavior across Network Address Translation (NAT) boundaries into sessions. It weeds out false positives and identifies true threats by applying user-defined correlation rules and pre-defined rules based on attack scenarios to multiple sessions.
Processing more than 10,000 events per second, the device also uses Protego’s SureVector analysis to determine valid threats by assessing the path an event took through the network.
PN-MARS, which does not operate inline, uses integrated network discovery to build a topology map with device configuration and security policies.
The appliance’s AutoMitigate feature identifies choke point devices along an attack path, thereby allowing administrators to push out commands to a device in order to mitigate a threat. A web-based console permits multiple administrators to see trouble spots.
So far, the device has proven to be useful, particularly in reducing false positives, says Hammond. “It’s a losing proposition trying to tune all the IDS sensors individually to eliminate false positives, especially every time a new set of signatures comes out,” he says. “Now we simply send everything to Protego.”
PN-MARS saves OIT staffers “the drudgery” of chasing down every IDS alert, says Hammond. “It allows us to react to an event much quicker. We were spending most of our time on stuff that was meaningless.”
Hammond says the device’s user interface is easy to operate: “You don’t have to keep going to a menu and back down another menu. You can drill down, whether you want to go right to queries or need information about an event.”
A summary screen “gives you a nice snapshot of what’s going on in the network,” he adds.
PN-MARS also monitors Cisco’s NetFlow, which OIT uses to collect network traffic flow data. That allows administrators to spot abnormal traffic patterns, which can indicate a possible worm or virus.
While Protego’s product was not designed for network management, it helps on that front, too. “We can see when something new gets added to the network that we didn’t know about. That helps us out with some of the network management,” says Hammond.
One staffer is using the device to diagnose routing problems and was able to figure out why an agency could not connect to a federal office. “As it turns out, they weren’t setting up a three-way handshake,” explains Hammond.