Blanco’s Security Alert Sources

Blanco Wireless has several sources for security alerts, including NIDS, syslog, application logs, database logs, host antivirus logs, host NIDS logs, router and firewall logs, and NetFlow (see Figure 6-15).

NIDS

Blanco Wireless has NIDS installed, and is inspecting the backbone uplinks on the data center gateway routers (connections 1, 2, 3, and 4). Analysis of the network traffic shows an average of 12 Mbps with spikes of up to 60 Mbps. Blanco will install a single Cisco IPS 4255 sensor with four interfaces running IPS software version 6.0. The routers are configured to provide a copy of each interface’s bidirectional traffic. This setup provides a view of ingress/egress data center traffic, but does not capture intra-data center traffic, as is desired.

Blanco’s security team has taken advantage of the information gathered in its Internet Protocol Address Management (IPAM) software and makes use of network locale variables in tuning the sensors (note that the “slash notation” is broken down into ranges of addresses to represent subnets):

variables DESKTOP_NETWORKS 10.10.32.0-10.10.63.255
variables WINDOWS_SERVERS 10.10.0.0-10.10.0.127
variables ORACLE_SERVERS 10.10.0.128-10.10.0.255
variables VMWARE_SERVERS 10.10.1.0-10.10.1.63
variables WEBAPP_SERVERS 10.10.1.64-10.10.1.127
Blanco Wireless’s security alert sources

Figure 6-15. Blanco Wireless’s security alert sources

Because Blanco handles sensitive ...

Get Security Monitoring now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.