Re: SIM Solutions testing environement. Eg. Netforensics

[Gleb Paharenko <gpaharenko () gmail com>]

Hi, all.

Aditya has very good and systematic approach.
My addition is make sure that you have checked
backup/archiving/restoring logs and carefully planned
storage/capacity/log retention policies.
Also take Netforensics with Oracle Enterprise license (partitions
feature is a must for SIMs).

In case you're going to audit Database events, also worth to check
that, as usually for SIMs this is a pain due performance penalties and
other restrictions in databases.

2009/10/15 aditya mukadam <aditya.mukadam () gmail com>:
> Hello,
>
> As I understand, you would want to simulate the life cycle for SIM
> integration, configuration and day to day tasks. You will have to look
> at below to start with :
>
> Integration Phase:
> 1) Identify the devices which you want to integrate with SIM.
>                          Action Item: Note the number of devices.
> Also check if you have enough license for those many devices.
> 2) Make sure these identified devices have Netforensics Agent (collector).
>                         Action Item: Check with SIM vendor about the
> available Agentscollector).
> 3) Netforensics components like Agent,Engine,Master etc works on specific ports.
>                         Action Item: Identify if you need to open
> these protocols/ports on the Networking devices like Firewalls etc for
> SIM to function correctly.
> 4) SIM Vendors  would  have recommendations on sysloging level to be
> configured on the devices.
>                         Action Item:  Syslog configurations on the
> identified devices have set correctly as per recommendations by SIM
> vendor.
> 5) Please make sure you understand the functionality of each SIM
> components and you plan the architecture of these components
> accordingly.
>
> Configuration Phase:
> 1) Identify the type of attacks you expect to identify or are compliant with.
>                       Action Item: Please visit the built in attack
> rules.Configure additional co-relation rules if needed.
> 2) You need to make sure that you have configured the alerting mechanism
>                        Action Item:  Configure/test the alerting machanism.
> 3) Make sure your components will be able to handle the expected load.
>
> Day to Day Phase:-)
> 1) You will need to perform fine tuning of your SIM environment based
> on the real time traffic trends etc
>                        Action Item: This is IMP. You will need to
> tweak certain rules, syslogging level based on your requirements.
> 2) Monitoring the devices which donot report to SIM Agent/Collector
>                        Action Item:  I dont think Netforensics has
> alerting mechanism to inform when a device has stopped reporting to
> the SIM environment. You will need to have some manual process to
> cover this part.
> 3) Monitor the corelation event generation
>                        Action Item:   If you feel you are not
> receiving certain alerts you expect to, you will need to modify the
> Co-relation rules.
> 4) Regular Updating/patching of the signatures released by SIM Vendor
>                       Action Item: SIM Vendors keep on releasing
> patches/signatures . You would need to make sure you have a process
> for updatiing this.
> 5) Make sure you have the support when in problem
>                       Action Item: Call the SIM vendor support couple
> of times with issues to get the confidence and understand what they
> need to open up support cases. Thsi will save time when you have
> critical issue.
>
> Hope this helps. Let me know if any questions.
>
> Thanks,
> Aditya Govind Mukadam
> http://www.linkedin.com/in/adityamukadam
>
>
>
>
> On Sat, Oct 10, 2009 at 10:56 AM, Mohamed Aymen SAHLI
> <sahli.aymen () gmail com> wrote:
> > Hi all,
> > In the context of acquisition of a SIM solution, netforensics, i will
> > have to put in place a testing realistic environment where i will be
> > simulating the life cycle of the SIM integration, configuration and
> > day to day inherited tasks.
> > i will be simulating attacks along with daily network and system
> > activity in order to generate feeds to the SIM.
> > My question is , where to start to put in place such a environment ?
> > is there examples ?
> > PS: i will be using virtualisation for sure as i don't really have the
> > hardware for a physical testing network.
> > All suggestions would be greatly appreciated.
> > Best regards.
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------



-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
+380503116172

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------