NSE1 Management and Analytics

Management and Analytics Security Management
NSE 1: Management and Analytics

Study Guide
NSE 1: Management and Analytics Study Guide

Last Updated: 8 April 2016
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
MANAGEMENT AND ANALYTICS.....................................................................4
Security Management .............................................................................................................4
Managing the Security Console....................................................................................................................6
Policy and Security..................................................................................................................7

Analytics ..................................................................................................................................9
Security Information and Event Management...............................................................................................9
Network Visibility ..........................................................................................................................................10
Summary .................................................................................................................................11
KEY ACRONYMS ...........................................................................................12

REFERENCES ...............................................................................................13
Management and Analytics

Additional NSE1 lessons provide insight into how hardware and software work to protect systems and
networks from legacy, modern, and emerging threats. This continued technology evolution allows users to
conduct business, participate in commerce, maintain communications across the globe, and manage
personal affairs with minimal interruption or threat of critical information vulnerability and loss. This
module provides a discussion on how effective management through the use of analytic tools allows
system and network administrators to optimize the secure environment users have come to expectand
upon which businesses and global commerce rely.
Security Management
Simply stated, security management exists at the region where the
scope of IT security and IT operations meet.
As organizational structures grow in size and complexity, the
tendency is for more network resourcesmachines, servers, routers,
etc.to be deployed. As the network grows, so also does the scope
of potential threats to the secure and efficient operation of the network to meet organizational goals. With
the global nature of modern business and e-commerce, the sheer number of branch and remote
locationsand managed devicesmake a consolidated network security management essential for
effective IT administration. To this end, the primary goal of security management is to reduce security
risks by ensuring that systems are properly configuredor hardenedto meet internal, regulatory, and/or
compliance standards. Security management is a software-based solution that integrates three primary
elements:
Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses
that a cyber-attacker could exploit.
Automated Remediation. Allows automated correction of faults or deficienciesvulnerabilities
identified in the assessment process. Provides reports and tools to track vulnerabilities that must be
remediated manually.
Configuration Management. Evaluates the security of a networks critical servers, operating systems,
application-level security issues, administrative and technical controls, and identifies potential and actual
weaknesses, with recommended countermeasures.
IT managers are faced with challenges that range from simple codes to threats hidden in secure packets
designed to target cloud-based applications. Modern and emerging future threats present dynamic and
potentially complex challenges to network security demanding comprehensive, complex security
solutions. Unfortunately, studies have shown that the more complex administrative functions become,
the less likely that network administrators will spend the requisite amount of attention to the various
apparatus and displays. For this reason, consolidating security management into a single console
enabling monitoring and management of network security was developed. Through this integrated
monitoring and control solution, IT managers may address the following issues:
Device Configuration. Manages the configuration of each device on the network and maintains the
system-level configuration required to manage the network environment. This includes monitoring
device firmware to ensure it is kept up to date.
Firewall Policy. Provides viewing and modification of firewall configurationsaccess rules and
inspection rulesin the context of the interfaces whose traffic is filtered.

Content Security Policy. Computer security technique to prevent cross-site scripting (XSS) and related
application-level attacks. It provides a standard HTTP header allowing website administrators to
determine approved sources of content that browsers may load on designated pages. Covered types
include JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets,
ActiveX, audio, and video files.
A conceptual diagram of security management is illustrated in Figure 1 below:
SM
Analyst
SM
Console
SM
Database
SM Monitored Devices
Figure 1. Security Management (SM) conceptual diagram

The primary goal of security processes is to provide high availability for the network, implying redundancy
and fault tolerance managed by the network security solution. In small and medium business (SMB)
networks and many large and distributed enterprise networks, network security may be provided by a
managed security service provider (MSSP) for a number of reasons. To facilitate effective network
security management, MSSPs and network administrators must have access to essential features that
enable them to provide protection to the network as a whole and the data contained therein. Three
principles drive these essential features: segmentation, scalability, and high performance.
Segmentation. Multi-tenancy architecture is one in which the single instance of a software application
serves multiple customers, with each customer being referred to as a tenant. The key purpose of multitenancy is segmenting customers in a managed service provider environment to efficiently provide
security services. Tenants have limited capabilities within the application, such as choosing interface
colors or business rules, but have no access to application code. Administrative domains (ADOMs) are
virtual domains used to isolate devices and user accounts. This enables regular user accounts visibility
only into those devices and data that are specific to their ADOM, such as a geographic location or
business division.
Scalability. Virtual firewall positioning & deployment. Very few organizations use 100% physical or
100% virtual IT infrastructure, necessitating deployment of interoperable hardware and virtual
appliances in security strategies. For both of these deployment options, control through a centralized
panel provides ease of operation to security administrators while enabling the use of complex
measures to counter modern and emerging complex threats. Virtual domains (VDOMs) offer
virtualized security scaling from SMB to large and distributed enterprise networks by rapid deployment
within existing infrastructures. [1]
High Performance. Because security management spans the scope from home networks to SMB to

large and distributed enterprise networks, security management must be able to be customized to meet
the needs of each level of operation. For example, the Application Program Interface (API) specifies how
software components should interact and are used when programming the graphical user interface (GUI),
allowing visibility of the customized network functions. Automation is important especially for large and
distributed enterprise networks, providing an automated workflow enabling users to approve, deny, defer,
or even execute remediation of configuration errors, potentially saving considerable time and effort.
Managing the Security Console

Network security management includes both hardware and software appliances and virtual machine (VM)
capabilities. They may be deployed as physical network security appliances, virtual appliances, or
software packages. Flexible interfacing allows IT administrators to address the management system via a
command line interface, web-based graphical user interface, or programmatically using JSON/XML
requests (scripting, customization, etc.). This provides network security flexibility for a wide range of
network sizes, from home networks and SMB up to large and distributed enterprise networks that are
geographically separated.
The most important function commonly associated with a security management solution is maintaining
firewall policies across a distributed enterprise. In large and distributed enterprise environments, security
management and reporting/compliance functions are usually separated, with local personnel managing
local nodes and a central site having visibility over configuration compliance, generally from the data
center at the corporate headquarters or designated IT management division.
Given the wide range of network security device deployment options, network security consoles are
typically licensed based on the number of devices they will be managing. This provides tailored, flexible
security options appropriate to organization requirements [1]. These security consoles are enabled by use
of simple network management protocol (SNMP), which provides administrators capability to monitor and,
when necessary, configure hosts on a network. This centralized ability to configure network devices is
referred to as device management, and is a critical capability in allowing IT administrators to manage
monitor and configuredistributed enterprise networks.
Figure 2. Example Integrated security control console

Administrative Domains (ADOMs) provide the capability to better organize the network environment. A
domain is the equivalent of an organizational unit. The purpose of using ADOMs is:
Limiting administrative scope to specific devices
Segmenting tenants in a managed service provider environment
Management and Analytics Policy and Security
Policy and Security

Policy packages enable the addressing of specific needs for an organizations different sites by creating a
tailored policy package for each site. Policy packages provide flexibility to administrators, because they
may be applied to individual or multiple devices. The advantage to using a policy package is that it
simplifies the installation of a set of firewall rules for sites.[1]
Object libraries contains objects that can be can be used among multiple policy packages. This simplifies
the job of the administrator, as the object only needs to be created once, but can be used multiple times
for multiple devices.
Figure 3. Policy Package example.

Global policy packages become increasingly important as network complexity, size, or distributed
configuration grow. Because large and distributed enterprise networks may delegate remote security
management to local administrators, it is important for central network administrators to have the ability to
retain overall visibility and control of the entire network. To this end, global policies allow administrators of
large enterprises and MSPs to bookend segmented/tenant firewall rules in order to ensure compliance
with overall network policies and operating regulations[1].
Figure 4. Global Policy Bookend flow.
Management and Analytics Policy and Security

Firewall rules (also called firewall policies) are a major challenge for network security administrators,
making it important for companies and organizationsespecially those with distributed enterprise
operationsto have and implement a firewall policy management solution. Depending on the size of the
operation and network, this function may be accomplished by the network security administrator or, in a
large enough enterprise, a firewall administrator. With the fast-paced and rapidly evolving dynamics of
technology and its use, the threat of security gaps being created because of a disjointed firewall policy
program is as real as the threat from external sources.
To assist the network security administrator or firewall administrator in developing, implementing, and
monitoring firewall policy requirements and effectiveness, regular and systematic reviews of firewall
policies should be put in place. These reviews provide important benefits, mitigating challenges such as:
Mistakenly adding duplicate, similar, or overriding firewall policies
Missing the impact of corporate policy changes that may impact particular rules
Creation of policies that are too specific at the time of implementation and may need to be
broadened to be effective
Determining what/when policies should be implemented by a policy pushthat is, applying the
new policies to individual security devices
In order to facilitate inputs to the firewall policy development and review process, a firewall policy
workflow process should be established by which policy change recommendations are submitted,
approved, and implemented by IT staff, and then the document retained for archival purposes for later
analytic review. As these processes become institutionalized, the end result becomes not only more
effective firewall rules management, but efficiency that leads to rules reduction, or a decrease in firewall
rules via periodic reviews or automation.
Security Change Management is the industry term for the product or feature that seeks to reduce or
optimize the number of firewall rules. It provides IT staff and network auditors with a clear picture of how
changes were implemented. With more complex firewalls incorporating more featuressuch as the Next
Generation Firewall (NGFW)simplification of the user interfaces that represent complex security
processes increases the likelihood that comprehensive security measures will be engaged, monitored,
and updated as necessary to keep up with emerging threats. This process will also minimize the number
of times that temporary firewall rule changes used to test new options, software, or hardware are
forgotten and left to clutter up the configuration.
Auditing has important advantages in the security management environment. Because auditing is a
mechanism that records actions that occur on a system, the associated audit log(s) contain information
detailing the events (such as login, logout, file access, upload, download, etc.), who performed the action,
when it was attempted, and whether the action was successful. Some important events that should be
logged include:
Login/Logoff (including failed

attempts)
Supervisor/administrator login
and function
Network connections (including failed

attempts)
Sensitive file access (including failed

attempts)
In the context of security management, auditing provides the following advantages:
Ensures that the organization maintains compliance with programs such as HIPAA and PCI
DSS
Helps track workflows/approvals for firewall policy changes
Associates security event logs with an individual owner for forensics
Management and Analytics Analytics
Analytics
Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the
context of security management, this analysis includes factors concerning potential impacts on
performance due to attempted or successful attacks, actions taken by preventative policies and apparatus
that detected and prevented intrusion, forensic records of user data for system and network functions,
and so forth.
Of course, without applying analytics to future decisions, they cease to serve a vital function to
administrators. The most important function of analytics is to ensure security effectiveness and
improvement while enabling optimum system and network performance.
Reporting is designed to be a cyclical processnot linear; that is, the data analyzed is used to inform
decisions regarding whether policies, programming, or apparatus need to be updated or may remain as
currently constituted. If updates are necessary, analytics inform decision-makerssuch as corporate
compliance groupsin determining what updates or reconfigurations are the right ones to accomplish.
Security Information and Event Management

Security Information and Event Management (SIEM)[1] is a system that gathers security logs from multiple
sources and correlates logged events to be able to focus on events of importance. The SIEM ecosystem
is designed to address the unique requirements of a wide range of customers, from large enterprises to
managed security service providers (MSSPs) that manage thousands of individual customer
environments.
Key features include real-time visibility for threat detection and prioritization, and delivering visibility
across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an actionable
list of suspected incidents, enabling more effective threat management while producing detailed data
access and user activity reports.
SIEM operates on the basis of those logs the administrator has authorized to be forwarded from the
devices to the SIEM. These logs may be tuned further to provide a minimum security level for log
forwarding, including (in order of severity from least to most):
1) Debugging
5) Error
2) Information
6) Critical
3) Notification
7) Alert
4) Warning
8) Emergency
SIEM provides three primary functions for network security:

Event logging. How systems and applications record and save data that shows what events happened
at what time and place with what results on the system, in the network, or in an application.
Event correlation. Comparing of events indicated in the event and correlating like events together to
determine significant instances of repetitious or associated events.
Incident alerting. Provides alerts for security incidents on the network.[1]
Perhaps the most critical function upon which the SIEM concept depends is logging, because it forms
the basis for making decisions regarding system and network functions and potential anomalies.
Logging is how systems and applications record and save data that shows what events happened at
what time and place with what results on the system, in the network, or in an application. Logging is
one of the forensic tools that may be used to analyze successful attacks, malware infections, or
Management and Analytics Analytics

attempted network intrusions. This capability, although it becomes more complex as networks grow and
become geographically distributed, is important to networks of all sizes against modern and future
network threats.
In the 1980s, Syslog was developed as part of the Sendmail project, but proved so valuable a tool that it
began being used by other applications as well. In todays IT world, Syslog is still the de facto industry
standard for security event logging. In fact, Syslog has become entrenched as the standard, such that
operating systems such as Windows and UNIX, as well as regulations such as SOX, PCI DSS, and
HIPAA either use Syslog format or have embedded capability for conversion to Syslog.[2]
Because it is a necessity for networks of every size, the factor of resource balancing is an important
consideration. As with determining whether application services as IaaS, PaaS, or SaaS are best suited,
the most cost-effective logging/reporting method for SMB is typically cloud-based event logging. Similarly,
some organizations may opt for standalone logging/reporting solutions to more effectively manage logs
collected from multiple security devices.
Network Visibility
Network Visibility refers to the ability for administrators to know what type of traffic is crossing their
network, including Web, applications, email, etc. It allows optimization of bandwidth for business critical
applications. Because modern and emerging threats are able to take advantage of different traffic types in
different ways, network visibility is a key capability in the administrators arsenal, providing the opportunity
to achieve:
Network monitoring and faster troubleshooting
Application monitoring and profiling
Capacity planning and network trends
Detection of unauthorized WAN traffic
Figure 5. Network visibility benefits.

Network visibility is of the utmost importance to security administrators. This includes visibility of every
component of the network, including remote components geographically separated as part of a large
distributed enterprise network. In order to adequately monitor system and network security events, the
security administrator must have access to logging from across the entire infrastructure, including
10
Management and Analytics Summary

firewalls, email gateways, endpoint devices, and other network components, both physical and virtual.
As with analytics reporting, network visibility must be treated as a cyclical process in order to be effective.
As illustrated in Figure 5, network visibility provides a wealth of information about many facets of network
operations. All of this data, however, is lost if not used to inform analyses that may improve further
network operations and security. For this reason, network visibility data should be used to inform
reporting on network operations and be used in developing future plans and policy.
Summary
Security management provides vulnerability assessment, automated remediation, and configuration
assessment in and environment providing complex protection with simplified administration. The goal of
security management is to reduce security risks through proper configuration and compliance.
Across all sizes and types of networks, security management provides customization and automation to
assist network security administrators through administrative domains to segment users, firewall & global
policy packages enabling reduction and optimization of rules, and auditing that provides oversight of
compliance, workflow, approvals, and forensic tracing.
Security Information and Event Management (SIEM) provides a wide range of administrator services in
managing logged events and analysis to correlate and determine the most appropriate security
measures, policy updates, and reactions to network incidents.
Network visibility provides administrators with the necessary end-to-end monitoring, troubleshooting,
profiling, and analysis tools to plan and address modern and emerging threats to the network. Adept
management, using the right analytics to inform decisions and actions, are key to establishing and
maintaining an efficient and secure network environment.
11
Key Acronyms
Key Acronyms
ADOM Administrative Domain
SaaS
Software as a Service
API
Application Programming Interface
SDN
Software-Defined Network
APT
Advanced Persistent Threat
SEG
Secure Email Gateway
ATP
Advanced Threat Protection
SIEM
Security Information and Event
AV/AM Antivirus/Antimalware
Management
FTP
File Transfer Protocol
SLA
Service Level Agreement
FW
Firewall
SM
Security Management
GUI
Graphical User Interface
SMB
Small & Medium Business
HTML Hypertext Markup Language
SNMP Simple Network Management Protocol
HTTP Hypertext Transfer Protocol
SSL
Secure Socket Layer
HTTPS Hypertext Transfer Protocol Secure
SYN
Synchronization packet in TCP
IaaS
Infrastructure as a Service
Syslog Standard acronym for Computer
IDS
Intrusion Detection System
IP
Internet Protocol
TCP
IPS
Intrusion Prevention System
TCP/IP Transmission Control Protocol/Internet
IT
Information Technology
J2EE
Java Platform Enterprise Edition
TLS
LAN
Local Area Network
MSP
Managed Service Provider
TLS/SSL Transport Layer Security/Secure

Socket
Message Logging
Protocol (Basic Internet Protocol)
NSS
NSS Labs
PaaS
Platform as a Service
PC
Personal Computer
PCI DSS Payment Card Industry Data Security

Standard
PHP
Transport Layer Security
Layer Authentication
MSSP Managed Security Service Provider

NGFW Next Generation Firewall
Transmission Control Protocol
UDP
User Datagram Protocol
UTM
Unified Threat Management
VDOM Virtual Domain

VM
Virtual Machine
WAN
Wide Area Network
XSS
Cross-site Scripting
PHP Hypertext Protocol
12
References
References
1.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
2.
Gerhards, R., The Syslog Protocol.
13

NSE1 Management and Analytics

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NSE1 Management and Analytics

Hochgeladen von

Copyright:

Verfügbare Formate

Management and Analytics Security Management