In your management environment, you have a wide variety of applications designed to support the different management needs of your security system and the rest of your network. These tools often use the protocols discussed in the previous section. This section defines at a high level the functions of these tools.
Network Security Management Tools
The following two tool types are commonly used in different combinations for security management:
To configure the security capabilities of your devices, you need a good tool to minimize the chances of errors and to ensure consistent implementation of security functions across the network. Some of these tools manage the entire configuration on a device; others are focused only on the security-specific portions of it. Some are designed to manage a single device; others are designed to push configuration changes to hundreds of devices. The Cisco ACL Manager, for example, is focused only on managing ACL configurations on a large number of devices. These tools can take almost any form, but they broadly fall into two forms: command-line interface (CLI) and graphical user interface (GUI).
I am a CLI guy at heart, but I'll do my best to be as neutral as I can be in describing the tool choices. (I thought it best to divulge my leanings up front.)
Most devices have some form of CLI access by SSH, FTP, and so on. These interfaces are good from a security standpoint in that they are very flexible and can often be scripted by your own applications. The downside is the steep learning curve associated with such tools. Once this learning curve is overcome, though, and assuming the CLI was designed well (such as Cisco IOS), you will always know exactly how your system is configured.
GUI management is particularly attractive for novices and smaller organizations. Without a lot of training, an operator can get an application to do something useful. There is often some level of abstraction going on in GUI management tools. Although this is fine in most situations, for security it often means trusting the management application to do the right thing. The CLI, in contrast, often makes it more clear to an experienced operator exactly what is going on, and the operative word there is experienced. The complexity of a router configuration that is several hundred lines long is very high for a user without much training or hands-on experience working with the CLI.
As an example, the learning curve to manage a Microsoft Windows NT server is lower than for a comparable UNIX server. However, when things go bad on Windows NT, an operator might find it necessary to wade through the registry looking for obscure key values. On UNIX, although the curve is steeper to get started, there usually aren't several places where the configuration parameters of an application are stored. Even so, a well-designed GUI can be a great aid to an operator and should be the default preference for smaller networks and security staff with less experience or IT groups that must be part-time security professionals. GUIs are usually some form of web application, though many are native to a particular platform (usually Windows).
GUI management is also useful for larger organizations when making changes to large numbers of devices. Although this can also be scripted by the CLI, most commercial applications use GUI front ends for such tools. The important thing here is to be comfortable with the tools you are using and with the expertise of your staff.
A Note on Hybrid Device Management
Many devices can be managed by CLI or GUI. The Cisco PIX Firewall, for example, has a CLI and an embedded web server that both can be used to make configuration changes to the device. This can be a great benefit to a SECOPS team possessing varying skill levels and tool preferences. Just make sure that changes can be made by both tools without one taking precedence over the other. Some tools, for example, are database driven. Configuration changes are made to the database and then pushed to the device. If the device's configuration has changed recently (perhaps from someone's CLI changes), these changes might not be maintained when the database-driven GUI sends out its files. This might be unavoidable in large-scale deployments, but being able to use both CLI and GUI interchangeably is a desirable feature.
Security Monitoring Tools
Once the security devices are configured properly, the next major step in network security management is making sure the alarms generated by your devices are dealt with properly. A number of the best practices later in this chapter deal with this issue specifically. For smaller networks, a simple Syslog server such as the one included with UNIX implementations or Kiwi Syslog for Windows (http://www.kiwisyslog.com/) will work fine. The key feature you are looking for is the capability to filter messages based on a wide variety of criteria.
Systems such as NIDS or NetFlow often use their own proprietary log format, and the logs can't be viewed using only Syslog without a loss of detail in the data (if they can be viewed at all). Such systems can use a standalone management application or, preferably, an integrated application that aggregates standard messages such as Syslog with the proprietary log formats of other security devices.
Such products are in very active development and promise to simplify your management requirements. By having a single tool that aggregates Syslog, NIDS, HIDS, host operating system (OS) logs, antivirus, and so on, the critical alarms can boil to the top with the rest of the data used for historical reasons. The data management aspects of such a system are among the most daunting challenges of these tools. For moderate-size to large organizations, these systems might need to process thousands of messages each day. Although artificially intelligent (AI) functions have been promised for these tools to automate event correlation, it will likely be some time before this promise is fully delivered, either through AI or more simple thresholds.
Secure Network Management Tools
A wide range of other tools common in enterprise networks focus more on managing the network than managing security. Some of them include the following:
All of these function generally using the same core set of protocols discussed earlier. And all have security considerations around their deployment as detailed in the next section.