MonMan Service

Managed Network Security

Our MonMan (monitoring and management) service and station is a small device running a Linux server plus a small number of programs that allows the monitoring and proactive management of firewalls, routers, switches and other security and network devices which allow local and/or remote console access (command-line and/or VNC/Terminal Services/Citrix/etc. based).

MonMan Features:

- use it as a syslog server; any syslog events will then be securely (via VPN) forwarded to a central ESM server maintained by xDefenders for management and alert purposes
- use it as a TFTP server; this allows the managed appliance to store configuration and run images and fast restore both after a failure
- use it as a SNMP trap destination
- trap net flow statistics for bandwidth monitoring and analysis
- keep a copy of the firewall rules on its disk

Managed Security Service:

- access the managed appliance on the console port (via the serial interface)
- access the managed appliance via ssh or telnet via a secure channel (SSH or VPN)
- automatically pull configuration for backup purposes
- perform a rapid restore from the disk to the replacement firewall hardware, after hard fail

Deployment requirements:

- outside the customer firewall, ie. needs separate externally available IP address
- connected to managed appliance via serial cable (only one connection is available)
- customer must allow ping, SNMP and ssh (or telnet) to managed appliance

Managed Firewall

Our Managed Firewall Service can consist of the, Fortigate, Cisco ASA, our MonMan and ESM systems.  Taken together, this gives you professional, proactive network security management and monitoring, and compliance.

Your Firewall is sending syslog data to our MonMan on a regular basis. Our MonMan regularly sends this data to our central ESM in Rochester. Our ESM provides us with a Daily Report showing alerts that are "over threshold" and we monitor, investigate and react.

In some rare cases, we will change the firewall rules accordingly or recommend other action from your part, to protect your network.

We are capturing what the ASA is programmed to send to the ESM (via MonMan). Since we manage the ASA, we are sending all syslog messages with severity levels 1 - 3 (for a list of events see this document:
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logsev.html).

Additionally, we are logging messages 605004, 606001, 606002, 611103, and 502103 (they all record login/logout events), but NOT 106014,313001, and 313008 (they deal with menial events).

MonMan captures net-flow statistics. This can be used for bandwidth usage monitoring, trouble shooting and planning purposes. The MonMan can send this raw data to a NetFlow Analyzer Management System for reporting. xDefenders provides such an appliance.


Daily Compliance Reporting:

> ------------------------------------------------------------
> Host 'Firewall'
> => Yesterday's successful logons (none)
>
> ------------------------------------------------------------
> Host 'VPNconcentrator'
> => Yesterday's successful logons
> 2007-12-09 06:26:19 su[8197]: Successful for Jeff Brown
> 2007-12-09 06:26:19 su[8200]: Successful for Sue Smith
> 2007-12-09 06:26:20 su[8202]: Successful for James Street

 

The ESM (our central syslog management server in Rochester) creates a daily report for our CISSP staff to review.

This email may contain several reports:
>
> - General overview for the today and the past three days
> - Compliance report: Successful logons for yesterday
> - Compliance report: Unsuccessful logons for yesterday
> - Compliance report: Logoffs for yesterday
> - IPS Activity for yesterday
>
> Statistics Trend for group 'Servers':
> ------------------------------------------------------------
> Host '1.2.3.4'
>
> => Total events
>
> Today : 38 *
> Yesterday : 1441
> Two days a: 1086
> Three days: 1869