FOR

NetIQ's Security Manager is designed to provide real-time security monitoring, alerting and automated incident response for Windows-based networks. In addition it also offers security policy enforcement, host-based intrusion detection, and a central point of management for all your security defenses.

Security Manager works by installing agent managers on monitored servers and workstations - then the primary management application runs on a central Windows NT/2000 server. All communications between agents and the management server are encrypted. It uses Microsoft SQL as its database engine, and this ensures that it is highly scalable.

Installation is easy from the supplied CD-ROM using the normal installation wizard approach. It is surprisingly quick to get Security Manager running and doing useful work, thanks to the inclusion of what NetIQ calls ActiveKnowledge Modules (AKMs). AKMs contain predefined out-of-the-box solutions. These modules are ready to use for monitoring and managing specific applications and environments, such as Microsoft Exchange Server, SQL Server, Internet Information Server and, of course, Windows NT/2000 Server itself. Some of the AKMs are for hardware-based monitoring, such as Compaq Insight Manager and Dell PowerEdge. In fact, there are 29 standard AKMs that are available.

There are also specific plug-ins to integrate with the three most common anti-virus products: Network Associates McAfee VirusScan, Symantec Norton Anti-Virus, and Trend Micro ScanMail/ServerProtect. Security Manager supports these anti-virus products independently of whether they are installed on servers or workstations.

You can define processing rules based on the following: event, missing event, filter, alert, performance sample and performance threshold. Automated responses to a processing rule match can include a notification (usually an email or pager call), execute a command or batch file, send an SNMP trap, change state variables, and launch a script. There are many possible examples of the kind of thing you can do automatically, but a simple one would be to force a user to log off, or to force a reboot or shutdown a computer when certain conditions arise.

Security Manager is also an ideal platform for investigating security breaches, suspicious events and hacking attempts. It detects logon violations across the enterprise to identify possible password-cracking attempts. Unauthorized services, such as RRAS, are detected. It detects and terminates hacking processes, such as Back Orifice and NetBus. And it can detect when a monitored resource is listening on unauthorized TCP or UDP ports. Of course, it also monitors changes to important directories and files, such as the registry.

Reporting is very good, with hundreds of predefined reports, to which you may add your own customized ones. Reporting uses a run-time version of Microsoft Access and an ODBC connection, authenticated by Windows NT/2000, to the database itself. Reports may be generated on demand or at scheduled times; they may be saved in HTML format for later viewing with a web-browser. These reports can also be exported into third-party reporting tools, such as Crystal Reports.

Security Manager has an interface that is aligned to the Microsoft management console (MMC) approach, which makes it easy to use for anyone familiar with MMC. It can also share a single common agent with Microsoft Operations Manager 2000. There is also a web console that provides a web-based interface, if you prefer. There is an excellent online help system, and the product comes with two thick manuals: one user guide and one installation guide.

Because Security Manager takes a host-based approach by deploying agents to all the hosts that need to be protected, it could present problems on heavily-loaded host machines as the agent itself uses some resources. This is not a major problem, and the resource usage is not excessive, but it is something to be borne in mind. However, the host-based approach is probably the best way of protecting the assets stored on servers, including web servers. On the other hand, because of its host-based approach there are some things it cannot detect - such as packet sniffers.

Security Manager is highly scalable and may be deployed as a load-balancing redundant fault-tolerant architecture. You can also deploy what NetIQ calls 'consolidators' to aggregate data from agents before forwarding it to the central management server. Multiple consolidators may be necessary for load balancing, redundancy, or to get data through firewalls. If you want to monitor computers in different NT/2000 domains, and you do not want the domains to share a common service account, you can install multiple consolidators to maintain a security partition between the two domains.

Security Manager provides the central control of security that is often difficult to achieve in large organizations that use a disparate range of security products. Nevertheless, it can integrate with other best-of-breed third-party security products using logs and SNMP traps. It provides a way of bringing the concept of service level agreements (SLAs) into the security arena. With Security Manager you can start managing threats and responses in a way that makes a security SLA much more than just a rash promise. It also facilitates security audit compliance by gathering information and automating the production of all necessary reports. But above all it saves that most valuable commodity: manpower.

Minimum system requirements for a management server supporting up to 25 agents are: 300MHz Pentium III with 256Mb RAM and 800Mb free disk space, running NT4 SP6a or Windows 2000. Managed computers must be running NT4 SP4 or Windows 2000. Although currently Windows centric, Security Manager also supports UNIX SysLog and will later offer native agent support for Sun Solaris, HP-UX, AIX and Red Hat Linux.
 

SC On-Line
SC Magazine
www.scmagazine.com