Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
HUAWEI TECHNOLOGIES CO., LTD.
As organizations strengthen informatization construction, their application systems (service systems, operating systems, databases, and Web servers), security devices (firewalls and the UTM, IPS, IDS, VPN, DPI, and AV devices), and network devices (routers, switches, and access devices) expand continuously. It is urgent to set up a comprehensive and unified log management system for managing all logs covering the network layer, system layer, and application layer. Security incidents appear one after another on hosts, databases,
and Web servers, such as backdoor Trojan horses, SQL injections, Web tampering, and internal data tampering. How to detect and tackle the security incidents? How to investigate the incidents and collect evidence?
To help organizations address these concerns, Huawei Technologies Co., Ltd. (Huawei for short) launches a comprehensive log management and security audit system, namely, Secoway eLog.
“Footmark” Record
Session Log Management
The eLog system collects, parses, and stores session logs (NAT ■
logs) generated by firewalls, routers, and switches.
It accurately traces the NAT process to provide evidence for ■
investigation.
Behavior “Exposure”
Network Behavior Audit and Management
The Secoway eLog system collects live statistics and displays ■
reports on various traffic such as basic traffic, application-specific traffic, interface-specific traffic, and P2P traffic.
The Secoway eLog system provides reports also on UTM features such ■
as IPS, mail filtering, AV, URL filtering, and IM monitoring and blocking.
User Behavior Audit and Management
The Secoway eLog system analyzes the bypass probe device ■
on application-layer protocols such as FTP, Telnet, and HTTP. According to analysis results, the Secoway eLog system monitors high-risk operations and alerts administrators to take immediate actions against suspicious behaviors.
The Secoway eLog system audits operations for the DB2, Oracle, ■
Informix, Sybase, and SQL server databases to provide visibility into current database operations and ensure data security.
Centralized Management
Unified Log Management Platform
The Secoway eLog system logs the following devices: ■
Huawei’s security devices, routers, switches, and BRAS devices.
•
Other vendors’ security and network devices.
•
Hosts, databases, and Web servers.
•
Standard syslog devices.
•
The Secoway eLog system collects, categorizes, and stores all logs ■
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Intelligent Security
User-centric Alarm Management
The administrator can configure alarm policies if desired. The ■
Secoway eLog system automatically informs the administrator in different ways when an event matches alarm policies.
The administrator can learn live alarm statistics on the entire ■
network or a specific device to gain visibility into the network security posture.
Flexible Network Deployment
Its distributed architecture allows the Secoway eLog system to ■
smoothly upgraded from the centralized mode to the distributed mode without affecting the current network structure.
High Security and Reliability
The Secoway eLog system has the following reliability features: ■
Supports HTTPS access to ensure data security.
•
Uses the buffer mechanism to avoid data loss in the case of
•
network failures.
Provides highly reliable storage and management of massive
•
logs, covering log compression, log backup to tape drives, and quick disaster recovery.
Due to limited IP, for most enterprises, the gateway is used to perform NAT or PAT.
•
Security events often occur on the internal or external network through the gateway. Thus, evidence can be colleted by recording NAT
•
or PAT information.
Application Scenarios
Collecting Evidence — NAT/PAT Tracing
Enterprise, Hotel, Home, Public Place
NAT Secoway eLog Binary log Eudemon BRAS NE40/80 Gateway
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
The Eudemon logs the virus and attack events and attempts to visit prohibited Web sites or use prohibited applications such as P2P. The
•
elog system can collect the loge, alert the administrators, and provide reports.
The bypass probe device can analyze the mirrored traffic and log the operations made to databases, operating systems, or other
•
resources through FTP, Telnet, and HTTP. The elog system collects the logs and can intuitively display the statistics.
Behavior Control
Enterprise Probe Secoway eLog Eudemon log logIM software such as MSN, Yahoo File sharing such as the email, FTP P2P software that are used to watch films or surfing online, play games, or visit entertainment sites FTP, Telnet, and
HTTP access
Virus intrusion and spreading External intrusion attacks
DB FTP/TeInet
Through customization-based development, the logs of all devices, databases, servers, and hosts are analyzed and managed for data
•
protection.
Logs are audited based on the preset security policies and alarm policies.
•
Law compliance requirements such as Ministry of Public Security Decree No. 82 and SOX are met.
•
Global Log Management
Enterprise Secoway eLog
Iog
Lack of the unified log management center Little knowledge of attack defense status Difficulty in assessing the effects of security devices
Massive logs are not analyzed High-speed and massive flow logs cannot be managed Limited types of reports Web server
OS BRAS
DPI Database
IDS and IPS Switch
VPN Router
Firewall and UTM
External network
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Feature Function Description
Log management
Log collection
The Secoway eLog system can collect logs in a complex network environment such as dual-system hot backup of the Eudemon firewalls.
It collects the logs of various devices in syslog, SNMP trap, OPSEC, FTP/SFTP, WMI, and JDBC modes without using any agents.
Log categorization and storage
The Secoway eLog system:
Categorizes logs by content. Logs can also be divided into online logs, dump logs, and backup •
logs by storage time.
Encrypts and performs integrity check on log files. •
Log search
The Secoway eLog system:
Provides device-specific search conditions and displays the results. •
Supports background search. Search conditions can be saved in a template for future use. •
Exports search results into .txt, .cvs, or .xls files to facilitate distribution and offline viewing. •
Audit event management
Policy association The Secoway eLog system supports user-defined audit policies and alarm methods.
Session association The Secoway eLog system associates user operations. Specifically, it associates the operations performed between the logins and logouts of a user as a session.
Log audit Regulatory compliance report
The Secoway eLog system provides diversified reports on user access, user logins and logouts, login failures, administrative operations, password change and expiration, audit policy change, and directory access.
Behavior log analysis Log search and analysis
The Secoway eLog system supports the ability to search for logs by protocol, time range, source IP address segment, destination IP address segment, user name, operation type, operation object, or keyword, and generates search reports.
Firewall log analysis
Log analysis Firewall logs can be searched for by time range, log level, log type, or keyword. The Secoway eLog system provides the refined search for various logs such as NAT logs.
Traffic report
The Secoway eLog system can generate reports on the following traffic: Live traffic • Basic traffic • Application-specific traffic • Interface-specific traffic • P2P traffic • P2P CLASS traffic •
P2P user traffic rankings •
Log report
The Secoway eLog system can generate the following log reports: Log trend
•
Attack defense •
Packet filtering ACL triggering rule rankings •
Packet filtering protocol rankings •
Content filtering destination IP address rankings •
Content filtering source IP address rankings •
Firewall UTM analysis IPS
The Secoway eLog system can generate the following IPS reports: Attack behavior rankings
•
Attack event rankings •
Attack event trends and attack event rankings •
You can search for intrusion prevention details by device, time, alarm level, protocol, operation, source IP address, or keyword.
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Feature Function Description
Mail filtering
The Secoway eLog system can generate the following mail filtering reports: Rankings of source IP addresses that send most emails
•
Email quantity trends •
You can search for email audit logs by device, time, filtering type, email protocol, destination IP address, source IP address, or keyword.
IM monitoring The Secoway eLog system can generate reports and logs on the use of the IM software.
AV
The Secoway eLog system can generate the following AV reports: Ranking of the most frequently detected viruses
•
Ranking of the most infected file types •
Anti-virus breakdowns •
Reports showing users who have sent files infected with viruses •
Reports showing virus distribution periods •
URL filtering
The Secoway eLog system can generate the following URL filtering reports: Rankings of the source IP addresses that send most Web site requests •
Rankings of the most frequently visited sites •
Rankings of the most frequently visited Web URLs •
Web visit quantity trends •
SIG log analysis
Real-time monitoring
of resource usage You can monitor the current CPU, memory, and disk space usage of the SIG back-end servers.
SIG log analysis
You can view the logs of the SIG resource usage and the following reports on the SIG back-end server:
CPU usage reports •
Memory usage reports •
Disk usage reports •
Alarm management
Alarm responding and monitoring
The Secoway eLog system can alert administrators by email, text message (a GSM modem is required), sound and light (an alarm box is required), sound (an audible box is required), or related programs.
You can use the console to monitor current alarms by device, alarm level, or alarm type. Alarm search You can search for alarms by device, time range, alarm level, alarm type, or keyword.
The search results are available in .txt, .cvs, or .xls files. Alarm report
You can view the following alarm analysis reports: Alarm quantity trend analysis
•
Device alarm quantity rankings •
System management
Device management The Secoway eLog system manages up to 1000 devices and supports device import and export in batches.
User right management The Secoway eLog system defines three roles, namely, administrator, operator, and auditor. The administrators can define operators and allocate them the rights of managing different devices. Syslog The Secoway eLog system automatically records device failures and major status changes, so that
the administrator can learn about the operating status of each device.
System information monitoring
The administrator can: View the license status. •
View current information on the key resources (CPU, memory, disk space, and current log •
amount).
Monitor all user sessions and log users off. •
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Log Audit Ensuring Behavior Compliance
Secoway eLog System
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved. General Disclaimer
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen 518129, P.R. China Tel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0 www.huawei.com
