- Internet Commerce
- Web QoS
- High Availability
- IP Usage
HP OpenView Node Sentry
Cisco Systems and Hewlett-Packard Company
Partnering to Provide Enterprise-wide
Network Security Solutions
by Cisco and Hewlett-Packard
Security for companies doing business via the Internet has come of age. Few challenges are as daunting as the corporate requirement to deliver high HP OpenView Node Sentry performance network services along with the security required for customer assurance. Until now, IT professionals have had to evaluate and choose among non-interoperable niche products from multiple vendors and try to manage it all without clear standards. The selection of enterprise security products is now being simplified by Cisco Systems and Hewlett-Packard, who are combining efforts to deliver the first multi-vendor enterprise network intrusion management solution-the HP OpenView Node Sentry system. The collaboration of the leader in network security technology partnering with the leader in network management systems signals a significant industry shift toward managed network security. With this product integration, Cisco and Hewlett-Packard (HP) begin to bring enterprise-wide network security into a manageable framework. HP OpenView Node Sentry Sensor is based on Cisco's NetRanger, the premiere network intrusion detection system (IDS) and is centrally managed by the HP OpenView Node Sentry, which is based on the renowned Network Node Manager. Internet users, Intranet users, and extranet partners can all be protected with a standards based, centrally managed, distributed IDS. HP and Cisco are laying the foundation for enterprise security management to become a routine part of daily system operations for Internet commerce and other Internet-based activities.
Enterprise Security Today
The enterprise today is increasingly dependent on mission-critical, network solutions to achieve success. The primary challenge for the corporate IT organization is to keep current with the rapid pace of changing technologies, and yet be proactive about managing the associated risks. Linking one enterprise to another, or performing Internet commerce activities, requires a heterogeneous network environment. They involve supporting WWW access, intranets, extranets, new operating systems, new applications, and remote access. While these technologies enable connectivity and competition-they also require security management. Such management faces the challenge of optimizing the use of these dissimilar technologies while maintaining a consistent and effective enterprise security policy. The skills required for managing current network security products range from knowledge of network packets on one hand, to knowledge of specific devices or hosts on the other. Such a comprehensive skillset is difficult to find. Therefore, optimal security solutions reduce this requirement for complex skills. Network operations staff must increasingly rely on the technologies themselves to incorporate the "skills" for successful administration. Since network security is at stake, technologies must be distributed across the enterprise yet centrally managed, in order both to maximize effectiveness and reduce the learning curve needed for operator proficiency. These security technologies must also be manageable from within a familiar, predictable framework that can respond effectively to threats and reduce operations confusion. Additionally, they must increase visibility into the network, shorten training times, and provide data to help determine cost-effectiveness of security measures. They must also plug in transparently to existing network services, applications, and security countermeasures.
Key Features/Benefits Of HP OpenView Node Sentry
The HP OpenView Node Sentry system includes the following features:
Overview Of The Node Sentry Project
Cisco and HP have worked together to provide a combination of tools to secure, monitor, test, and improve network security. The two companies have reached an important goal: providing enterprise-wide security management from a central IT Service Management system. Now customers can easily add complementary intrusion detection technology to their existing firewalls and authentication systems.
The cooperation of these two market leaders on this product has interlocked the strong points of both companies, combining:
HP OpenView Node Sentry leverages existing network and management infrastructures, including:
Ninety-nine percent of all corporate intranets in the Fortune 500 are built on Cisco technologies and products. The HP OpenView Node Sentry, incorporating Cisco technology, provides simplified end-to-end management. Node Sentry is an enterprise-scale, real-time, intrusion detection system designed to detect, report, and terminate unauthorized activity throughout an enterprise network.
Using the Node Sentry monitoring system, network operations personnel gain 7x24 real-time surveillance of their enterprise for TCP/IP-based patterns of intrusion and misuse. By leveraging the HP OpenView NNM management platform, Node Sentry permits security management to become just what it should be-an extension of other systems' management functions.
Node Sentry provides a comprehensive network monitoring and management solution. It examines packet headers and data looking for attack signatures. And when it finds violations, it raises alarms and removes the offender from the network. And it does so in a way that is transparent to authorized users. HP OpenView Node Sentry detects intrusions in real time through a system of remote sensors.
HP OpenView Node Sentry allows customers to respond adaptively to network intrusions or policy violations. This technology permits Node Sentry to react in real time to detected intrusions by an integrated set of responses-including trouble-ticket systems, e-mail applications and pager applications. The Node Sentry real-time system requires quick collection and analysis of data, as opposed to the outdated audit logs, which do not provide information fast enough to be used for effective response. When it detects intrusions, Node Sentry provides an appropriate, proportional response, while preserving normal network activity. It carries out its detection and response activities with no disruption in the legitimate network activities. Node Sentry supports 10/100-base-T, FDDI, and Token Ring interface cards.
The Detection Complement
HP OpenView Node Sentry consists of two components: Node Sentry Sensor and Node Sentry Manager. The Sensor and the Manager communicate through a Secure Communications Link protecting all transmissions between the two, and minimizing the potential for internal or external compromise.
Node Sentry Sensor
HP OpenView Node Sentry Sensors provide network sensing, attack response, and device management. The Sensors run under Windows NT 4.0 and are attached to LAN segments, which have high-risk systems or public network access points located on them. Placing this sensor in one or more strategic locations within the enterprise intranetwork allows the sensors to watch IP-based traffic and to analyze the information in real-time, scanning for known patterns of misuse, called signatures, or attack signatures. Signatures are updated with a dynamic update capability permitting users to pull updates from a secure Web or ftp site to keep their system current. Updates are also included on CD with each new release. License keys unlock software for specific user only. The Node Sentry Sensor detects intrusions based on two classes of attack signatures-context-based and content-based. Portions of each packet's header and data are examined and notification is performed when a violation is detected.
A context-based signature is found within the contents of a IP packet's header. Context-based attack signatures include:
A content-based attack signature is found in the data portion of a packet. Content-based signatures are detected by inspections involving:
Node Sentry Manager
HP OpenView Node Sentry Manager provides centralized command and control of Node Sentry sensors. It manages and monitors the sensors, collects and analyzes data, and facilitates user operation. The Manager runs on Solaris 2.6, HPUX 10.2, and Window NT 4.0. HP OpenView Node Sentry Manager remotely manages sensors placed throughout the network. When sensors spot a pattern of misuse, they send information signaling an alarm to the Node Sentry Manager. HP OpenView Node Sentry Manager categorizes alarms into thirty standard classes. The customer may add additional custom alarm classes. HP OpenView Node Sentry Manager responds to detected intrusions by alerting operators via CRTs, printers, and other output functions. Information is displayed in several ways for the user. It uses the standard HP OpenView NNM conventions, including observing icons changing color depending on the severity of the attack, pulling down menus for additional information requests, and clicking on icons for additional information. The Node Sentry Manager also includes an embedded HTML database of information on various attacks and recommended countermeasures. It also includes tools that will load the event information into a relational database such as Oracle. Sample data tables, information queries, and report templates are also included to get the user up and running quickly. For example, it can be set to page an on-call operator when it detects a particular kind of intrusion.
Using Security Maps
HP OpenView Node Sentry Manager displays real-time event information. It uses the HP OpenView Windows Application Programming Interface (OVW API) to pass security information to the OpenView user interface to display on the network security maps. It displays network security maps as icons. The user can click on an icon to drill down through a hierarchy to the next level of detail, repeating the process on subsequent levels until reaching the level of detail required.
HP OpenView Node Sentry Manager gathers data from the various sensors and organizes this information into a database. The database can then be analyzed for patterns and trends. Node Sentry Manager can also generate status reports relating to network activity and vulnerabilities. A single Node Sentry Manager can centrally manage the activities of dozens of Node Sentry Sensors. They may also be organized into a tiered structure to permit monitoring of an unlimited number of Sensors. HP OpenView Node Sentry Manager will monitor sensors located throughout an enterprise-wide network, such as dial-in modem pools, LAN segments, and T3 internet gateways. By combining OpenView NNM and Node Sentry, an organization can monitor the security of its enterprise network from a single location.
A Path Towards Standards
Adherence to standards increases interoperability, reduces training time, and eases support costs over time. HP OpenView also interoperates with Cisco Systems' CiscoAssure policy networking system. Figure 1. Protection of the Network HP OpenView Node Sentry system takes its place as an important part in a comprehensive policy of proactively controlling network resources while requiring fewer highly trained technical personnel and thus becomes part of a solution designed to reduce the total cost of ownership (TCO) for enterprise networking customers. HP OpenView Node Sentry system analyzes the following network application protocols: SMB, NFS, DNS, HTTP, FTP, TELNET, SNMP, SMTP, and RPC, looking for hacker attempts to exploit potential weaknesses.
The Security Solution
HP Node Sentry software provides existing HP OpenView customers with a welcome opportunity to gain additional network security capability without the added burden of learning yet another set of standalone device management procedures or interfaces. Stories of success are already beginning to come in: "Having it all in one place lets the CIO reach out and touch the network and see all that is going on," says Larry Dietz, a security analyst with Current Analysis. "They can watch the uptime and efficiency of the network as well as the security." Centralized security management and a common user interface were key to Bally's decision to go with the HP OpenView platform. The gaming company will launch a system in October that will let 75,000 Nevada customers place bets on sports events over a private extranet.
How It Works
The HP OpenView Node Sentry solution will follow a number of simple steps:
1. Place the sensors
Node Sentry sensors will be placed at high risk network points such as remote or Internet Access. These will include modem pools, project subnets, legacy systems-anything with an external access.
2. Begin monitoring network for suspicious activities
Node Sentry Manager will report alarms to network operations personnel as soon as one of the sensors discovers a pattern of misuse in the TCP/IP packets that it examines.
3. Begin to detect intrusion activities as they occur
An intrusion activity will include anything from an illegal login to operation of a Password Cracker. HP OpenView Node Sentry Sensor detects the intrusion, spots suspicious packets by matching these to intrusion patterns, and then passes the information to Node Sentry Manager.
4. The Node Sentry Manager responds
The HP OpenView Node Sentry Manager isolates the node- shunning/blocking the offending IP, as configured.
5. Node Sentry Manager sends reports and notifications These include all configured responses-screen displays, pager notifications, e-mail messages, alarms, etc.
"The Best Is Yet To Come"
The months and years ahead will surely see steady growth in the demand for enterprise-wide network security. HP and Cisco OpenView will continue to set the standard for sophisticated intrusion detection. Future Node Sentry releases will permit increasingly more effective responses to network attacks. Node Sentry will soon be able to utilize high-level event correlation and to perform genuine root cause analysis. Future releases of Node Sentry will also integrate with system sensors, database sensors, and application sensors for ever-increasing effectiveness in locating and identifying intruders and ever-increasing efficiency in appropriately responding to them.