In this series, FireMon leadership shares their favorite features of the latest release of our device and policy management solution, Security Manager. Click Here to subscribe to the blog.

Jody Brazil, co-founder and chief product strategist, has overseen development of our flagship product since the beginning. He explains how TFA with application support is helping customers get more out of their NGFW investment.

Traffic Flow Analysis continues to be a differentiating and demanded feature of the FireMon product suite. In fact, there are so many great advancements in TFA, I can’t fit them all into a reasonable sized blog post, so I will have to break it up. For this post, I will focus on one of TFA enhancements made to TFA in Security Manager Version 8 – application awareness.

Applications to the data set. This is not a trivial addition with just incremental value, this is a huge advancement for TFA. The addition of application data in TFA allows a user to identify which applications are being used in a rule and between sources and destinations.

Just as with the traditional TFA, FireMon presents the data as a list (a list of all applications in use for the monitored traffic) as well as in a “flow.” A flow is a set of common tuples (source, destination, service and application). All the traffic monitored can be broken into flows that can be used to create more refined rules in a policy.

In the screenshot above, you can see 6 flows associated with the captured traffic. The highlighted column shows the identified application used in each flow.

Why does it matter?
There is significant value to seeing applications in the flow to enable a user to more effectively refine their security policy. Security technology manufacturers like Palo Alto Networks have built their business on the concept of an enhanced firewall that doesn’t just control access based on port and protocol, but on application. However, rules often aren’t configured to enforce application control. This happens for a couple of reasons:

1. Migrations: Users are generally migrating from a legacy technology to the next-generation firewall. The original rules didn’t have applications, so the migrated rules will not either. The effort to change these rules is significant, but it is also hard to do without better information – information that FireMon can provide.
2. Adoption: This is still a relatively new technology. Administrators are just getting familiar with it and sometimes overlook application definition when creating rules. Fixing these rules after the fact is hard to do without good data.

So, if you’re using a next-generation firewall, make sure you to take advantage of application controls throughout your policies. Use TFA with application awareness to improve your firewall policies and to get more value out of the upfront investment you made in NGFWs.

The post Best of Firewall Management – TFA for Applications appeared first on FireMon.

In this series, FireMon leadership shares their favorite features of the latest release of our firewall management solution, Security Manager. Click Here to subscribe to the blog.

“Smart Cities” are growing in popularity with their ability to monitor traffic behavior and resource usage and adapt accordingly. Similarly, “Smart Firewalls,” enabled by Security Manager’s enhanced TFA feature, can collect data tied to the source, destination, service and even application in order to help firewall administrators modify or restrict access. Jody Brazil explains the advancements in Version 8 that make this possible.

TFA is a powerful feature for analyzing network traffic patterns. You could use the physical analogy to cars on streets. A traffic monitoring system could be set up at an intersection to evaluate exactly how many cars flow through the intersection, which directions (special attention to cars turning at the intersection) and what time of day. As a result, you can define new “rules” of the traffic control system (stop lights) to efficiently move cars through an intersection.

Similarly, TFA monitors traffic through a firewall rule. Instead of allowing all traffic to traverse in all directions, it monitors the empirical behaviors on the network and informs an administrator of the rules they can create to restrict access to only what is necessary.

In Version 8, we have dramatically improved this behavior. One significant advancement was the support for applications, which we covered last time. Continuing my traffic analogy, you could think of applications as another data point – for example, distinguishing between types of vehicles and understanding that truck traffic requires different rules than cars.

We’ve also enhanced TFA in version 8 by expanding how data is collected. Previously, TFA only allowed a user to collect data on a specific firewall rule. In Version 8, you can collect it across an entire firewall using any combination of source, destination, service or application as filters to the data collection.

Again, using the street traffic analogy, we can now map the flow of traffic between any two points in a city or traffic of any types of vehicles, regardless of which intersection they move through. The scope of the analysis is now massive. Imagine sensors at every single intersection in your daily commute. In today’s parlance, we think of this as a “Smart City.” Using that same naming convention, FireMon enables “Smart Firewalls.”

Finally, in Version 8, we dramatically improved the performance of TFA. Large datasets used to make generating a TFA report a VERY time consuming and system-intensive operation. With the capacity to collect greater amounts of data, it was critical that we improve the performance of the analysis. The results are stunning. TFA now returns results that used to take minutes in mere seconds. And while it is still possible to generate enough data to make the report take longer than seconds to run, it is still an amazingly fast process for the complexity of the analysis.

The post The Best of Firewall Management – Enabling “Smart Firewalls” appeared first on FireMon.

In this series, FireMon leadership shares their favorite features of the latest release of our firewall management solution, Security Manager. Click Here to subscribe to the blog.

Rule Usage analysis to identify unused rules is a core feature first invented by FireMon and now central to our market space. Beyond “cleaning up” the mess, there are real security benefits to removing those unused rules.

Unused rules are like leaving the keys in a running car that wastes gas and exposes unnecessary risk of someone stealing the car. Unused firewall rules bloat the policy, causing it to run slower and expose the network to unneeded risk of an attacker exploiting the open access.

Many users who install FireMon Security Manager find thousands of rule issues that need to be addressed. It can be pretty overwhelming. We’ve published some good webinars discussing what we consider a good strategy for rule review and removal:

1. Start with the technical mistakes (hidden and shadowed rules).
2. Move to business issues (unused rules and objects, compliance issues).
3. Work to improve the remaining rules by tightening them to only the access that is needed (TFA).

Security Manager Version 8 has created a new way to evaluate these rules by combining usage data with assessment data. The theory is pretty simple: if you have a rule that is not being used (no business purpose) AND it has significant security or compliance violations, then it is a rule that is both unnecessary and exposes the organization to a lot of risk. The result is a prioritized list of rules that should be reviewed for immediate removal.

The table shows the top 20 unused rules, sorted by those with the highest cumulative severity (a score generated by combining all the severities of controls this rule has failed). Both of these represent rules that should be at the top of an administrator’s list to remediate immediately.

Want to see it for yourself? Contact our sales team for a web demo or request a free evaluation copy.

The post The Best of Firewall Management – Removing Unused Rules appeared first on FireMon.

In this series, FireMon leadership shares their favorite features of the latest release of our firewall management solution, Security Manager. Click Here to subscribe to the blog.

Sometimes it’s the little things that make the biggest difference. One of the simplest but most requested features is the ability to export rules and objects out of our system into CSV format for use in spreadsheets.

Spreadsheets are the universal “tool” in the business world. They are used for financial models, sales lead lists, task management, employee lists, asset management, resource planning, quotes, orders, simple databases, data analysis and more. They are even used to track firewall rules and firewall changes in companies that haven’t yet bought a firewall management solution like Security Manager.

Spreadsheets are simply a ubiquitous business tool. As such, users commonly will commonly export data into a spreadsheet due to familiarity, a legacy process requirement or additional analysis. Because of this, we have made much of our data available to export into a spreadsheet format.

In Version 8, we have made this capability easier to access, moving it right on the list views where you can not only export the entire list, but also search and filter the list and export the filtered result set.

On many of our list pages, we have exposed an “Export” button allowing a user to export the data in the list to a CSV format. In some cases, we offer a couple of options such as Expanded or Collapsed. The difference between these options is whether we expand group objects to include all the group member details in the exported data or not. This feature is available for Security Rule, Network Objects and Service Objects. More lists will likely be supported with Export in future releases, particularly if there is demand for it.

Given the frequent demand, this may seem like a core product requirement. But many of our competitors fail to offer exporting to CSV and none offer the filtered export option.

The post The Best of Firewall Management – Exporting Rules & Objects appeared first on FireMon.

Nearly every organization faces significant IT security compliance demands regardless of industry, with the goal of ensuring that mandated controls are always in place and that assessments are being performed with proscribed regularity.

In addition to being a security best practice, continuous monitoring is one of the most common requirements of many compliance initiatives, including PCI DSS, HIPAA, SOX, NIST, and DISA. In future posts, we will cover how to address these requirements more specifically.

What is Continuous Monitoring?

Continuous monitoring is an important function to monitor rule sets and assess proposed rule changes against a set of checks that map to internal security policies, a set of industry compliance requirements or the subset of other regulations that incorporate controls on network access rules and how they’re managed.

Why is Continuous Monitoring Important?

Continuous monitoring is important for a number of reasons. For one, the more you understand about what’s happening in your environment,the more likely your company is to detect threats, which lead to breaches.

Second, accidents happen and sometimes a legit change causes more harm than good. However, if you only inspect these changes at the end of the day you very well could have opened or created a gap in security in the interim. Continuous monitoring will help you detect and understand these changes in real-time.

And finally, compliance initiatives. There is a reason why many compliance requirements either recommend or mandate continuous monitoring – it can single-handedly prevent a breach. Passing compliance regulations can often be seen as a pain or a hassle, but at the end of the day many of these requirements will help improve your security posture.

How FireMon Provides Continuous Monitoring

FireMon Security Manager and the Policy Planner module streamlines compliance auditing and validation processes by using automation to demonstrate that network access controls are in place at all times and are being tested frequently.

While existing compliance automation solutions may help confirm that appropriate configurations are in place in the network security device rules base, FireMon offers the ability to comprehensively analyze and report in real-time that all of those systems have been calibrated together to prevent access and maintain true critical asset protection.

Here are three key ways FireMon helps with continuous monitoring:

• Real-time, uninterrupted visibility into current security device enforcement including logging of all configuration changes and recording all audit log details.
• Ability to model and test the impact of all changes prior to implementation to ensure that they do not create additional IT risks, reducing time and increasing efficiency while fully documenting all changes for compliance purposes.
• Continuous assessment of all security device configurations in real time, compared to detailed federal enforcement standards via a knowledge base of required criteria, allowing for audit of any device against those measures.

The post Firewall Policy Compliance – Continuous Monitoring appeared first on FireMon.

Firewalls continue to play an important role in network security; however, firewall infrastructure has grown more and more complex, adding significant costs and increasing risk. According to FireMon’s 2015 State of the Firewall Report, 95% of surveyed security professionals indicated that firewalls remain as critical if not more critical to security than ever. Over 50% of those respondents cited firewall complexity as their most problematic security management concern.

A recent report from the Aberdeen Group Firewall Sprawl: How Complexity Is Adding Cost & Increasing Risk reinforces these findings. Through their research, they found that nearly half of organization’s today have multi-site, multi-vendor environments.

Going a step further, they developed a complexity index to quantify the issue – (N^2 – N) / 2 where N equals the number of sites plus the number of vendors. For each additional site or vendor, complexity exponentially increases. And with it, so do operational costs, inconsistencies and errors, number of threats and vulnerabilities and finally, likelihood of risk.

With that being said, it appears that firewalls are here to stay, and complexity will only continue to grow as new network technologies and threats develop. The key to combating this is to understand the primary contributing factors and how one might address them.

With eight years under my belt at FireMon, I’ve seen a lot of firewall installations that fall prey to some of these challenges:

• Lacking Capabilities within existing technologies that enable proper management. For example, trying to perform behavioral analysis of a large firewall policy without the aid of automation.

• Time or moreover, efficient processes for managing the constant change in the security environment.

• Inadequate Resources – I have yet to hear anyone tell me they have too many resources.

• Cost – This tends to go hand-in-hand with skilled resources.

• Heterogeneous Environments as opposed to homogeneous environments. I’ve seen very few single vendor deployments but rather a mixture of many different brands. Aberdeen Group’s research quantifies my anecdotal experience.

So what can you as a security professional do about it? Look for solutions or processes that give you the following:

• Visibility – It’s an unfortunate reality, but most of today’s organizations with complex networks do not have adequate visibility necessary to properly manage their security infrastructure. Nor do they have confidence that the technologies they have in place are doing what they’re supposed to. Couple that with reduced resources and an ever growing threat landscape and the result is a recipe for disaster. Having detailed visibility into firewall rules and policy effectiveness allows organizations to clean up outdated or redundant rules and close security gap, lowering overall firewall complexity and level of risk.

• Intelligence – It takes a clear understanding of an organizations compensating controls coupled with a knowledge of vulnerabilities in the environment to properly protect well-known threat entry points. This is all a component of managing risk. With real-time monitoring and vulnerability mapping, your security team has the situational awareness it needs to identify and remediate problematic issues before they evolve into real-world risk.

• Integration – Exchange of information between disparate systems cannot be underestimated. The ability to share security information in real time without restricting it to a single application, system or device can empower stakeholders to make decisions specific to their responsibilities. Security posture is greatly improved by extending real-time, enterprise-wide security metrics to those who need it most. This lends itself to compliance initiatives, business enablement, risk avoidance, etc.

• Automation – Automation can be interpreted differently by different people – in this case we’re looking at automation of change workflow. It’s important to assess the impact of any new access being provided. Access should be restricted to just what is necessary to meet the needs of the business. New access should also be vetted against the corporate security policy to ensure it does not break compliance or introduce unacceptable risk. Being able to sandbox proposed changes to assess impact and then send them for review and implementation through an existing ticketing system can speed up the process and reduce the likelihood of incorrect or risky changes. Automation of this task the only way to accomplish this with high accuracy and repeatable success.

The post Combating Firewall Complexity – Four Things You Need appeared first on FireMon.

In addition to previously available methods, Reputation can now be imported into Immediate Insight via CSV. For best performance, we recommend release you complete most recent ‘update’.

File names ending with .iprep or .iprep.csv of the format show below can now be dragged and dropped into DataFlow -> Import -> Import at Lines to populate IP reputation.

IPMATCH,building,zone
3.3.3.0/24,"sector 1, camp A",rec area
3.3.4.0/24,"sector 1, camp B",lab 3
2.2.2.1-2.2.2.6,main,EBC
2.2.2.8 to 2.2.2.21,main,training lab
5.5.5.,data center,cluster 1
1.2.3.4,outhouse,toilet 4


The first column must be IPMATCH and contain IPv4 match patterns as shown above. Fields are taken from the column headings and the values from each row.

An event is generated for each entry so that other actions, workflows can be tied to changes:

Overlapping reputations are allowed. Non-conflicting fields are merged in. Conflicting fields are overwritten to allow easy updating by reloading the IP rep files again.

Here is a sample of overlapping rep data:

IPMATCH,Restricted
3.3.4.0/24,Sensitive
2.2.2.20 to 2.2.2.21,Limited
5.5.5.8,Black Ops
1.2.3.4,Your Eyes Only


Deleting entries is performed by setting the first value to IPDELETE:

IPMATCH,Restricted
3.3.4.0/24,IPDELETE
2.2.2.20 to 2.2.2.21,IPDELETE


Events are generated for every delete:

Be warned that a delete will remove the entire reputation including fields that were merged in from other files.

Pay special attention when converting xls files to csv. Some data files may contain multiple delimiters which must be removed in order to produce a clean csv file.

Import will skip over bad entries in the csv file.

The post How do I import bulk Reputation data via CSV? appeared first on FireMon.

Step 1: (if not already completed) Enabling Encryption

Immediate Insight streams data to the client by opening two websocket connections to the browser, a control channel and a data channel. By default, Immediate Insight is configured for HTTP. To activate encryption (HTTPS) on websockets:

• Type set-ssl command to enable encryption on browser sessions.
• Type reload server to make changes take effect.
• Quit browser and re-login using https instead of http (https://ip-address-of-server:3201) – Chrome is the recommended browser.

  Note: You will get a Certificate warning but will be able to login after ignoring it.

Step 2: Managing Certificates & Stopping Warning Messages

We recommend the best practice use of matching CA certs installed in user’s browsers to reduce the possibility of man-in-the-middle attacks and provide a smoother user experience.

During installation, a self-signed rootCA pair is generated automatically in app/config/certs.

Note: You can replace this pair with your own CA by overwriting the rootCA.key and rootCA.pem files, however this is an advanced task – most can use the self-signed certs provide.

Type “set-certs” followed by “reload server” to activate the certificate.

Next, copy app/config/certs/rootCA.pem file from the Immediate Insight server to your computer (using an SFTP or SCP client)

Load the Certificate into your Browser. Instructions for Chrome:

• Settings -> Show Advanced Settings -> HTTPS/SSL -> Manage Certificates
• Trusted Root Certification Authorities -> Import (specify rootCA.pem file)

Restart browser – next time you log into Immediate Insight you should not see cert warning.

Note: While the system has a reasonable set of security measures in place, the present release is designed to run in a secure and trusted environment. If you have a need to expose it directly to the Internet, please contact iisupport@firemon.com to discuss additional hardening procedures.

The post How to Stop Certificate Warning Messages When Accessing Immediate Insight via HTTPS appeared first on FireMon.

First, here is the process to backup (export) Pinboards/Bookmarks:

Click the flag icon near the top right corner of the GUI, then select Manage Pinboards & Bookmarks.

Click Share, then one at a time click the icon beside each bookmark (this copies them to the Shareboard).

Note:

• To share a specific Pinboard, select all of the bookmarks belonging to that Pinboard (name is in blue in middle field).
• Or to share ALL Pinboards, click the ‘Copy All to Shareboard’ link.

Next from the Flag icon click Share Configurations to open the Shareboard.

Click Export to save the bookmarks to a .ii file (it will download to your computer).

Second, here is the process for how to Import Pinboards:

If you need to restore your bookmarks or share them with another user or Immediate Insight system, you can do so using the .ii file. Simply Drag & Drop the file into DataFlow -> Import -> Import at Blob

Note: before completing Drag and Drop, be logged in as the User you want to provide the bookmarks/pinboards for.

The post How To Export/Import Bookmarks & Pinboards appeared first on FireMon.

Immediate Insight can send email alerts based on any collected data and search criteria. Before configuring an email alert, you must setup outbound email server settings in Immediate Insight (this is accomplished via the CLI). Here is the information:

The server settings for sending email are specified in the marshal configuration file: app/config/marshal-settings.conf

You can edit this file with a text editor ( vi app/config/marshal-settings.conf ).

Add the following lines (except with the proper values for your email environment):

#
# maximum number of email alerts per address per hour (default is 3)
#
mail.maxPerHour = 3
#
# mail alert settings (account to send through)
#
mail.username = "test@immediateinsight.com"
mail.password = "test"
mail.host = "smtp.gmail.com"
mail.port = 587
mail.subject = "New Alert"


After saving the changes, type ‘reload server’ at the command line to restart and make the changes take effect. Note that the default maximum setting is 3 messages per hour. You can boost this to a larger number as needed.

Once the above has been done, you can configure Email Alerts in Immediate Insight via the “Action” feature – one example of doing this is shown below. (Further examples are available in the Data Management Guide.)

You see a type of Search Event you’d like to be alerted on in future -> click the Action link.

Then choose to email similar events to a technical support list email alias (you can tune the specificity of alerts).

The post Configuring Immediate Insight to Send Outbound Email Alerts? appeared first on FireMon.

The purpose of this document is to walk the user through configuring the Checkpoint Security Manager Server running GAIA OS to work with Immediate Insight as the external syslog receiver.

Note: This process was successfully tested in the FireMon lab, however this document should not be considered as fully definitive, for official Check Point documentation please contact Check Point.

This configuration was tested in a GAIA R77 environment, but is valid for the following GAIA versions: (R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, R77.20, R77.30)

Important: This procedure is not supported on Checkpoint SPLAT or Multi-Domain Server environments. However there is a different procedure available for such environments, please contact iisupport@firemon.com for details

Step 1: Configure the Checkpoint GAIA OS for the Immediate Insight external syslog server.

1. Connect to the GAIA OS via CLI using Putty or console over SSH.
2. Log into CLISH
3. Use the commands below to add the Immediate Insight client as a syslog server.
   
add syslog log-remote-address (adds the server)
show syslog all (reviews that the server was added)
save config (saves the configuration)


Note: In the Checkpoint GUI if you check the box “Accept Syslog messages” (Security Management server properties – expand ‘Logs and Masters’ – click on ‘Additional Logging’), then Security Management server will accept these messages, and they will not be sent to the designated Syslog server. Therefore, if you want the messages to be sent to the designated Syslog server, do not check box “Accept Syslog messages”.

Step 2: Backup and configure the boot script in the CLI of the Check Point GAIA.

1. Using Putty or appropriate terminal emulator connect to the CLI and browse to the following file path to backup the current /etc/rc.d/init.d/cpboot script:
   
[Expert@HostName]# cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot_ORIGINAL

2. Using the VI editor update the /etc/rc.d/init.d/cpboot script adding the following syntax at the very bottom of the file:
   
fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &


Step 3: Reboot the Security Manager server.

Step 4: Verify firewall activity logs are being imported into Immediate Insight.

1. Connect to the GUI interface of your Immediate Insight client and click on the “DataFlow” and “Collectors” menu. (By default the Immediate Insight has a collector set up to listen for UDP port 514 logs where the Checkpoint logs should be coming from.)
2. Next choose the “Search” menu option at the top of the Immediate Insight client to review data.
3. You can verify from the “Search” screen by using a few different search options.

• Searching by the IP Check Point syslog source (example search string: sourceFile:”10.0.4.2″
• Searching by the firewall hostname. (example search string: “CP_FireWall”)

Note: If there are any questions or issues with your Immediate Insight product please send an email to iisupport@firemon.com and a support tech will get back with you as quickly as possible.

The post How to Configure Check Point to Stream Firewall Activity Logs to Immediate Insight appeared first on FireMon.

By default the Immediate Insight processes do not start automatically after the VM Immediate Insight is installed on is rebooted. This is by design, however it is possible to override the default behavior as follows:

1. Use a text editor such as vi or nano to add the following entry at the end of your /etc/rc.local file (right before the line ‘exit 0’ ):

   e.g. from CLI: sudo nano /etc/rc.local

2. Then add the following line right before the line ‘exit 0’
   
sudo -u insight -i /home/insight/app/utils/start-all

3. Save the file.

The post How do I automatically start Immediate Insight after VM reboot? appeared first on FireMon.

Immediate Insight generally supports any type of human readable data (or something that can be converted into a human readable form).

Examples of data sources include (but are not limited to); logs, pcaps, netflow, files, emails, json, xml, text, CSV, documents

You can Import data manually (drag & drop), or stream data in automatically with our Collector feature. We have a number of pre-built collectors listening on well known port (e.g. syslog, netflow), and you can also add your own.

For further details on data types and data collection, please consult the Immediate Insight Data Management Guide.

The post What types of data does Immediate Insight support? appeared first on FireMon.

It’s the start of a new year, and the resolution talk is everywhere. Getting into shape – physically or maybe financially – usually lands at the top of people’s lists. But you may want to look at getting your firewalls into shape as well. If you’re the resolution-making type, consider adding these 10 best practices for improving firewall management to your list.

1. Monitor firewall changes in real time.
   While this seems pretty obvious, it is surprising how many organizations do basic change monitoring but little in the way of actual change review. It is important to not only monitor change as prescribed by every regulatory security compliance initiative but to also ensure the change does not introduce unacceptable risk, create unnecessary policy complexity or violate security protocol.
2. Remove technical mistakes.
   Removing technical mistakes is a great start for reducing unnecessary policy complexity that so often creeps into firewall policies over time. Technical mistakes in a firewall policy can be identified as ineffective or incorrect no matter what the firewall is protecting. They are simply rules that will never get used regardless. Two primary examples of technical mistakes are redundant and shadowed hidden rules.
3. Closely monitor for unused access.
   Unused but permitted access causes both excessive complexity and unnecessary risk. Any access through a firewall introduces some risk to the organization; however, permitted access that is not used is simply latent risk waiting to be exploited. Unused access can also sometimes later raise its head as unintended or inadvertent access – something auditors are sure to look for. It’s important to remediate access that is no longer required as early as possible in the policy review process.
4. Review rule usage for policy optimization.
   Firewalls tend to be very sequential in operation. They evaluate each rule in the order it is placed. If a firewall’s policy contains a large number of access rules to evaluate and the most utilized access rules are found at the bottom of the rule list, then unnecessary overhead can occur and lead to degraded performance of the firewall over time. A security management solution such as FireMon Security Manager can automate policy behavioral analysis and quickly aid in policy optimization.
5. Seek out overly permissive access.
   Too often business trumps security, and rules are introduced into a policy that allow much greater access than what is really required. This could be any broad ‘allow’ rule, but we typically find the overly promiscuous ‘ANY’ object being leveraged. Poorly defined or missing business requirements can frequently be linked back to the root cause. Broadly defined rules should be refined to just what is required. The ability to distinguish what is and isn’t being used inside an overly permissive rule can be manually daunting. This is where an automated security management solution can save countless hours.
6. Document well.
   The benefits of good policy documentation cannot be understated – better compliance reporting, service restoral, reduced complexity, improved policy management to just name a few. Documentation of a rule should happen at the time it is introduced into the policy and should be an ongoing effort when policy rule reviews or recertification takes place. Ideally rule documentation should be placed in the context of the policy itself and remain searchable and reportable.
7. Technically enforce policy compliance.
   Security management solutions can be used to technically enforce a written security compliance policy. Security Manager from FireMon includes a flexible audit engine that can automatically inspect new policy rule additions to ensure they align with acceptable security policy guidelines or compliance initiatives.
8. Implement a consistent change workflow process.
   Change is constant – especially in terms of network access and protection, daily emerging business requirements demand continual adjustment of defenses. A security centric workflow solution that draws on the capabilities of an underlying security management solution can allow an organization to analyze, approve, map and carry out configuration changes with full visibility into resulting conditions on a repeatable consistent basis.
9. Map the network.
   The ability to maintain a visible representation of a complex network greatly aids in the process to secure it. An in-depth understanding of routing paths and security enforcement points along those routes is paramount to ensuring undesirable access is not allowed.
10. Assess risk.
    Adding additional access to meet the demands of a constantly changing business landscape will never reduce risk. Having the ability to validate newly requested, or proposed, data access models across the network against known existing vulnerabilities can significantly improve the overall security posture of the network by placing you in position to remediate unacceptable risk before it is allowed.

The post 10 Firewall Management Resolutions for the New Year appeared first on FireMon.

The purpose of this document is to show Immediate Insight users how to configure additional network interfaces from the command line.

Caution:  If you connect both eth0 and eth1 to the same network/switch this will cause a bridge loop & connectivity problems, they must be on separate networks / subnets.

One use case would allow for a management and data networks to be on a different subnet.

1. Connect to the CLI of the Immediate Insight instance using Putty or your terminal emulator of choice.
2. Edit the following files adding the lines show below.
   1. /etc/network/interfaces
      1. iface eth1 inet static = (static IP configuration, e.g.)
         • address 192.168.1.100
         • gateway 192.168.1.1
         • netmask 255.255.255.0
      2. iface eth1 inet dhcp = (DHCP IP configuration)
   2.  /etc/rc.local
      1. ifconfig eth1 up
3. Run the command ‘sudo reboot’

Another use case is would be to use eth1 as a promiscuous mode packet listener without an IP address.  Edit the files below adding the lines indicated.

1. /etc/network/interfaces
   • iface eth1 inet manual      (this forces it to have no IP address)
2. /etc/rc.local
   • ifconfig eth1 up
   • ifconfig eth1 promisc
3. Then ‘sudo reboot’

** below is Immediate Insight configuration for a packet listener command, making use of the eth1 promisc port**

Edit the Packet Capture command in DataFlow -> Remotes to assign the eth1 interface. Do this by adding the –i eth1 to the command string (the default is eth0)

(echo ‘@@sourceFile:tsharktag’; sudo tshark -i eth1 -b filesize:5000 -b files:5 -w /tmp/tsjunk -t ad -T fields -e frame.number -e col.Time -e col.Source -e col.Destination -e col.Protocol -e col.Length -e col.Info -E header=n -E separator=, -E quote=d ‘not(host @@agentIP)’) |nc @@serverIP 3003;sudo rm /tmp/tsjunk*

The post Configure Multiple Network Interfaces appeared first on FireMon.

The Free Community Edition of Immediate Insight has all the features of the paid license; the only difference is it allows storage and search of a lower volume of data (25 million concurrent events) compared to the paid license (hundreds of millions or billions of events). Because the Free Edition stores less data, it can be installed with lighter computing resources than when using the paid license.

The following are the minimum recommended specifications for installing the Free Community Edition of Immediate Insight:

• Installs on a computer using VM Workstation, VM Player, or VM Fusion (version 8 or newer)
• 4 Virtual Cores
• 8 GB Ram
• 60 GB Disk Space

The Free Community Edition of Immediate Insight is available for download here.

For a demonstration of how to install the Free Edition of Immediate Insight, please view this video:

A brief Quick Start Guide is also Immediate Insight – Free Community Edition – QuickStart – Jan 2016.

To request further documentation or for other questions or assistance with your Free Community Edition of Immediate Insight, please email iisupport@firemon.com.

The post What resources do I need to install the Free Community Edition of Immediate Insight? appeared first on FireMon.

Immediate Insight allows you to search any words or entities that you wish, many of which will be specific to your needs and environment. However it can be helpful to have a starting point of common search terms that are applicable to many situations. The Immediate Insight Pinboard allows you to organize sets of bookmarked searches for easier viewing. Attached please find a sample Pinboard of searches, sometimes referred to as negative sentiment words, that gives you a starting point. You can easily edit this and/or create additional Pinboards of your own.

To import the Pinboard into your Immediate Insight system:

• Download, then un-zip the file below (resulting file has .ii file extension)
• Log into the Immediate Insight GUI
  • Go to Data Flow -> Import screen. Drag and Drop your .ii file to ‘Import as Blobs’
  • Click the Immediate Insight icon in the top left hand corner of the GUI, then the Computer Icon below.
  • Click the ‘Situations to Watch’ link (if you don’t see it the link, swipe the screen to the left)
• For a further tutorial on how to build and navigate Pinboards you can watch this video – https://youtu.be/XYrEaauoyXE

Other sample Pinboards are also available for more specific use cases.

For further assistance with Pinboards please contact iisupport@firemon.com.

Immediate-Insight-Sample-Pinboard.zip

The post Do you have a sample set of commonly useful searches that I can start with? appeared first on FireMon.

To backup Immediate Insight configuration you will need to copy the following files to another system (after opening an SFTP or SCP connection to Immediate Insight, and logging in as user ‘insight’). These files are all located in the /home/insight/app/config directory;

• agent-settings.conf
• collectors.conf
• filters.conf
• ipRep.conf (if present)
• license.lic (if you are using a licensed copy of Immediate Insight)
• marshal-settings.conf
• server-settings.conf
• users.conf
• wfTrack.conf (if present)

If you want a backup of any previously created Pinboards, you must also export those from the Immediate Insight GUI. Since Pinboards are user specific, login using the applicable GUI user account, the default GUI user account is ‘admin’. Here is the process for exporting the Pinboards;

1. Login to the Immediate Insight GUI, then click the flag icon near the top right-hand corner & click ‘Manage Pinboards & Bookmarks’
   
2. Click ‘Share’, then Click ‘Copy All to Shareboard’
   
3. From the Flag Icon, click ‘Share Configurations’
   
4. Then click ‘Export’ after the Shareboard opens
   
   This will download the file ‘Immediate-Insight-Configuration.ii’ to the computer you are using to browse to the GUI. Keep the file somewhere along with the .conf files you downloaded earlier.

To restore Immediate Insight Configuration follow these steps;
(Note: if you are deploying a replacement VM, you will first need to run the ‘install’ script from the VM console to assign an IP address. But if the original VM is still reachable via the CLI, you can skip this step)

• Using SFTP or SCP, login to Immediate Insight as user ‘insight’
• cd /home/insight/app/config
• copy back over the previously saved files;
  • agent-settings.conf
  • collectors.conf
  • filters.conf
  • ipRep.conf (if present)
  • license.lic (if you are using a licensed copy of Immediate Insight)
  • marshal-settings.conf
  • server-settings.conf
  • users.conf
  • wfTrack.conf (if present)
• from the Console type ‘sudo reboot’
• next login to the GUI and restore the Pinboards
• take the previously saved Immediate-Insight-Configuration.ii and Drag & Drop into DataFlow -> Import -> Import at Blobs
  

The post How do I backup and restore an Immediate Insight configuration? appeared first on FireMon.

The purpose of this document is to walk the user through new integration for collecting Security Manager Change Events into Immediate Insight.

Part A – Integration Pre-Requisites

Note: this integration requires Immediate Insight version app-2016-02-04 (or newer), which can be obtained by typing ‘update’ from the Immediate Insight CLI (internet connectivity required). Security Manager 8.2 or newer is required.

Immediate Insight and Security Manager must be configured with correct certificates so that they can exchange data. Here are the required steps;

• Login to Immediate Insight CLI (user ‘insight’, default pw ‘WhatsHappeningNow’) and type the following;
  • create-fmos-certs (creates the certificates)
  • cd app/config/certs
  • from Immediate Insight CLI, open an SFTP connection to Security Manager (login with an FMOS account assigned administrator level privileges) – e.g. sftp fmadin@ (provide FMOS password when prompted)
    • Next put the previously created certificates onto Security Manager
      • put localhost.crt
      • put localhost.key
      • put rootCA.pem
• open a CLI connection to Security Manager (login with administrator level FMOS account credentials) and move the previously uploaded certificate files to the correct directories
  • cd e.g. ssh fmadmin@ (provide FMOS password when prompted)
    • sudo mv localhost.crt /etc/pki/tls/certs
    • sudo mv localhost.key /etc.pki/tls/private
    • sudo mv rootCA.pem /etc/pki/ca-trust/source/anchors
  • next (still from the Security Manager FMOS CLI) you will apply the new certificates
    • sudo update-ca-trust
    • sudo reboot
      Note: certs survive reboot, but may not survive Security Manager upgrade – therefore keep a copy of the files from step 1) if you need to restore the cert files after upgrade
• Optional – if you want to stop certificate warning messages on your browser, install the following files into your browser (you may also see Immediate Insight Install Guide for more details on this task)
  • /home/insight/app/config/certs/rootCA.pem

Part B – Live Collection of Security Manager Events into Immediate Insight

To collect live Change events from Security Manager, you need to configure a Security Manager Collector in Immediate Insight. You will need valid web console admin level credentials & connectivity to Security Manager.

Login to Immediate Insight GUI,

• go to DataFlow -> Collectors and click the + button of the Collectors from, then select ‘Security Manager Collector’
• Specify the IP Address of Security Manager
• Provide a valid web console admin level username and password for Security Manager
• Set the Data TTL for how long you want to keep the data (e.g. 30d)
• Optionally you can assign the data to something other than the default ‘main-stream’ repository, to make it easier to separately search Security Manager data apart for other data coming into the system.
  • In this case you must first create the repository at the CLI, e.g. ‘new-repo sm’ , will then provide sm-stream as an available selection in the GUI
• Give the collector a suitable name
• The other values can normally be left default.
• Click the ‘Add’ button when ready

Part C – Confirm Security Manager Change Events are coming into the system.

Go to the DataFlow -> Collectors screen

Scroll down to your new Security Manager Collector, and check that the Status says ‘running’ (it can take a minute or so to initially change from ‘Connecting’ to ‘Running’) – if it does not say ‘Running’ confirm your credentials, certificates, and network connectivity before proceeding.

If Status is ‘running’ you will see Security Manager Change Events show up as indicated by the ‘Records’ counter.

Note: depending on how Security Manager Configuration Change Monitoring is setup, it may take anywhere from minutes to hours to see data, below is an example of configuring hourly change monitoring in Security Manager for a particular device managed by Security Manger. Note that both ‘Change Monitoring’ and ‘Log Monitoring’ must be enabled, the default ‘Check for Change Interval’ may be too long to be useful, if so change it. (please see Security Manager documentation for full details on configuring Change monitoring)

Part D – Search some sample Security Manager Change Events in Immediate Insight

Go back to the Immediate Insight Search tab, then do one of the following to search for Security Manager Change event records.

• Specify the separate repository if you configured one in Part B (e.g. sm-stream)
  • if not, type “id action” in the search string
• Then click Search, the event Search Results will look similar to below, you can then expand the details to look at the ‘Full Text’ and ‘Metadata’ for particular events.
• If the end device passes the name of the user to Security Manager, the user who made changes will also appear in Immediate Insight, otherwise user will be ‘DC_Automated’. For best user details, it is suggested to configure end devices to forward their syslogs to Security Manager.

• You can then also go to ‘Microscope’ , ‘Associations’ , ‘Event Clusters’ etc (just as you would for other data collected by Immediate Insight) to correlate and analyze the results (some sample screen shots below)

Searches can also be combined with other non-Security Manager data sources allowing for context and correlation of information from across your security related ecosystem. (For further details on Searching with Immediate insight please consult the User Guide)

The post How can I integrate data from FireMon Security Manager into Immediate Insight? appeared first on FireMon.

Background

FireMon’s Immediate Insight product is a powerful real-time IT data analytics solution. It provides excellent data discovery, search, & analysis capabilities. Furthermore search results can be saved to Immediate Insight Pinboards for dynamic reporting. Immediate Insight is particularly well suited to monitoring and analysis of unstructured data, & unknown issues which have in the past been difficult to find. As a complement to these capabilities, customers may be interested in producing more traditional security and operations dashboards centered around known metrics. Immediate Insight’s architecture (built on top of Elasticsearch) allows use of third party tools, for example open source tool Kibana, for easy dashboarding of both structured and unstructured data metrics made available by Immediate Insight data enrichment.

The following use case paper outlines a procedure to connect Kibana to Immediate Insight, and produce a simple example dashboard (for complete documentation on Kibana please consult https://www.elastic.co/guide/en/kibana/current/index.html ). It is assumed for the purposes of these instructions that Immediate Insight is already installed on another VM, if you have not yet installed Immediate Insight, please contact FireMon for documentation and assistance.

(Please note that Kibana is not a FireMon product, and FireMon LLC provides no official warrantee or support of the Kibana software nor its interoperability with FireMon’s Immediate Insight product)

Step 1 – Prepare Immediate Insight for use with Kibana

By default, the Ubuntu firewall settings on your Immediate Insight virtual appliance block external access to port 9200, which is required by Kibana to connect to the Immediate Insight Elasticsearch instance. The easiest way to overcome this is to clear the firewall rules (procedure for that is shown below, however in a production environment is it recommended to explicitly adjust the firewall rules based on your own environment to allow external access only where needed)

ssh <ip-address-of-immediate-insight>

login (default password for user insight is WhatsHappeningNow)

$ sudo firewall clear

(Note: if you later need to revert to the original Immediate Insight firewall settings, use the command; sudo firewall enable)

You will need to know the Immediate Insight search indexes that you wish to Dashboard with in Kibana. The default search index is the ‘main-stream’ repository, however you may have configured others that you wish to use. From the CLI type the command ‘add-user –l’ to see if other repositories exist (make note of them). For example, below we notice the repository gregprivate is available in addition to main.

Step 2 – Install Kibana and modify its configuration file to point to Immediate Insight

You’ll first need to install Kibana (we recommend Kibana 4.1.4 which is compatible with the current version of Immediate Insight’s Elastic Search). Although it may be possible to install Kibana on the same VM instance as Immediate Insight, we strongly recommend that you install Kibana on a separate VM or Server to avoid conflicts. Instructions below are to install Kibana on Ubuntu Linux (we tested with Ubuntu 14.04.2), although Kibana can also be installed on Windows, Mac, or other Linux distributions.

Download Kibana 4 to your Ubuntu home directory with the following command:

$ cd ~; wget https://download.elasticsearch.co/kibana/kibana/kibana-4.1.4-linux-x64.tar.gz

Extract Kibana archive with tar:

$ tar xvf kibana-*.tar.gz

Open the Kibana configuration file for editing:

$ sudo nano ~/kibana-4*/config/kibana.yml

Edit the host field, changing it to the IP address where you have Kibana installed, also edit the elasticsearch_url field, changing the localhost part to that IP address of your Immediate Insight (example shown below), then save the file:

Create a /opt/kibana directory with the following command:

$ sudo mkdir -p /opt/kibana

Next copy the Kibana files into your newly-created directory:

$ sudo cp -R ~/kibana-4*/* /opt/kibana/

Kibana can now be started

To start Kibana manually

$ cd /opt/kibana/bin

$ ./kibana

However it is preferable to start Kibana as a service so that it stay persistent after reboot

Download a Kibana init script with this command (one line):

$ cd /etc/init.d && sudo wget https://gist.githubusercontent.com/thisismitch/8b15ac909aed214ad04a/raw/bce61d85643c2dcdfbc2728c55a41dab444dca20/kibana4

Now enable the Kibana service, and start it:

$ sudo chmod +x /etc/init.d/kibana4

$ sudo update-rc.d kibana4 defaults 96 9

$ sudo service kibana4 start

Step 3 – Configure Kibana to connect to the Immediate Insight Index

Access the Kibana web interface;

http://<ip-address-kibana>:5601

Click the Settings tab. By default it will show the Index name ‘logstash-*’, you need to change this to the Immediate Insight index name – most likely you should start with main-stream (unless you know your data is in another repository). After entering ‘main-stream*’ for the Index name, click the Time-Field name pull down and select ‘rcvTime’ – then click ‘Create’

Under Indices, you will now see main-stream*, select it (on the right you’ll note varies metric fields available from Immediate Insight). Click the green star logo to make main-stream* your default index.

(Optional) – if you have an additional Immediate Insight index (aka repository) that you wish to be able to report on, click the Add New bottom and repeat the process (following along from our earlier example this could be done for gregprivate*)

Step 4 – Configure Kibana Discovery of Immediate Insight data

Click the Discover link, assuming there is data coming into Immediate Insight’s main-stream repository, you should see data events below. Here you also chose Time Filter and Refresh Interval, because Immediate Insight already provides excellent real-time monitoring capabilities (and to reduce unnecessary performance overhead), we suggest starting with a longer Kibana Time Filter such as 24 hours and a Refresh Interval of 15 minutes. (Note: Kibana queries place some overhead on Immediate Insight)

Note: you won’t be able to use Kibana to view data older than the Data TTL available from the Immediate Insight index.

Step 5 – Configure Kibana Visualizations from Immediate Insight data

Although Kibana offers many different ways to create graphs of different formats, the easiest way for Immediate Insight is to find a metric Field, that interests you, click on the Field on the left of the page to expand it, then click the Visualize link below the Field.

You can accept the default graph formats, or edited them as offered. Next Click Apply, then click the Save Visualization Icon, give it an appropriate Title, then click Save.

Repeat the process to create other Visualizations which you may want to put on Dashboards. Note that you can create Visualizations from different Indices (aka repositories), and if you wish these can later be mixed on the same Dashboard, or split across multiple Dashboards.

Step 6 – Create Kibana Dashboards
Your previously saved Visualizations are available to put on Dashboards. Click Dashboards, click the + icon to add Visualizations, select the ones you want, give the Dashboard a name, then click the Save Dashboard icon.

You can now click the Load Saved Dashboard icon to view your Dashboard. Note that you can optionally change the time period of further edit the Dashboard as needed.

Kibana is capable of producing many different styles and variety of Visualization and Dashboards, we have provided but a simple example here to get you started. Full instruction on configuration of Kibana is beyond the scope of this document – but we hope this introduction gives you an idea of what could be possible using the Immediate Insight data.

The post How to make Kibana dashboards using Immediate Insight collected data appeared first on FireMon.