Brochure
GFI
LANguard S.E.L.M. brochure (PDF - 100Kb)
Many companies mistakenly assume that unauthorized
access is only attempted by external parties. Actually, the majority
of corporate security threats stem from internal sources, such as
users accessing confidential data. Of course, your network provides
for security, but many 'backdoors' exist. A firewall offers no
protection against attacks from within the company. Furthermore, how
can you verify that your firewall is actually blocking out all
external attacks?
LANguard S.E.L.M. does this by monitoring the
security event logs of all your Windows 2000/NT servers and
workstations and alerting you to possible intrusions/attacks in real
time. Because LANguard S.E.L.M. is not a network-based IDS, it is
not impaired by switches, IP traffic encryption or high-speed data
transfer, as are traditional intrusion detection products.
Whitepaper -
Why you need LANguard S.E.L.M. & how to use it on your network
This white paper demonstrates that the audit and
reporting facilities in Microsoft Windows NT and Microsoft Windows
2000, although a good foundation, fall far short of fulfilling
real-life business needs. Therefore, the need exists for a log-based
intrusion-detection and - analysis tool such as GFI’s LANguard
Security Event Log Monitor (S.E.L.M.). This paper explains how
LANguard S.E.L.M.’s innovative architecture can fill the gaps in
Windows NT/2000’s Security log functionality - without hurting
performance and while remaining cost effective. This white paper is
written by Randy Franklin Smith, writer of the in-depth series on the
NT/2000 security log for Windows 2000 Magazine.
Whitepaper -
Immediate intrusion detection: Catching hackers red-handed on your
web server!
This white paper focuses on how administrators can
set up their web servers successfully and safely. Describing the
tools used by hackers to gain backdoor access to your IIS web
servers, this paper details the necessary steps to detect successful
intrusions on your network, as well as explaining how to prevent
such attacks to your web server, using LANguard Security Event Log
Monitor.
Respond quickly to important events without
spending hours examining logs
LANguard S.E.L.M. powerfully expands the basic audit and
reporting facilities found in Windows NT/2000 to enable
administrators to meet daily business needs:
-
LANguard S.E.L.M. notifies you of critical
security events in real time and provides tips for interpreting
events in the context of other activity and recommended courses of
action.
-
Through LANguard S.E.L.M.'s pre-built event viewer
filters, you can quickly check for any high security events on a
daily basis and examine medium and low security events on a weekly
or monthly basis.
-
Use LANguard S.E.L.M.'s report module for in-depth
investigations and trends analysis.
LANguard S.E.L.M. Reviews...
Features
Network-wide analysis of security event logs made
easy!
If you are already using the Windows NT/2000 security logs for
analysis, LANguard S.E.L.M.'s automated network-wide analysis has a
number of advantages over manual security event log analysis:
-
Provides real time monitoring and notification
-
Solves fragmented audit trails by consolidating
all security events in a single database
-
Allows central archiving of events for reporting
and backup
-
"Translates" the often cryptic descriptions to
clear concise explanations and suggestions for action
-
Removes "noise" events that make up a large ratio
of all security events
-
Solves the problem of security log files being
tampered with
View reports on key security information
happening on your network
Use
LANguard S.E.L.M.'s powerful reporter to identify key security
trends. LANguard S.E.L.M. includes a number of standard reports,
which you can customize. LANguard S.E.L.M. also allows you to create
custom reports from scratch. Here are a few of the reports included
with LANguard S.E.L.M.:
Monitor access to important files
By auditing failed access to important files you can check who is
attempting to access those files. This enables you to pre-empt more
extensive network 'attacks' or hacking attempts based on social
engineering (where, for example, hackers become friendly with the
person who has access to desired files to try and obtain the
password or password clues). LANguard also allows you to audit
successful access to files, meaning you can record who accessed the
files and when.
Intelligent analysis of security events
LANguard S.E.L.M. sifts through all the "noise" in your security
logs and just notifies you of the critical events by prioritizing
events according to:
-
Type of event
-
Security level of each computer
-
Whether event occurred during normal operating
hours
-
Role of computer (workstation, member server or
domain controller)
LANguard S.E.L.M. also takes into account the
differences in how events are logged on NT computers as compared to
Windows 2000. Once LANguard S.E.L.M. has analyzed events, it
categorizes them into 4 different categories: critical, high
security, medium security and low security events.
Advanced filtering of security events using the
LANguard S.E.L.M. Event Viewer
The
Windows 2000 standard event viewer has limited features, and can
only view one computer at a time. LANguard's Event Viewer provides a
single view of all security events on all your machines, and also
offers advanced filtering capabilities. For example, you can filter
based on user, computer, PC security level, and more. It also
includes a condition builder to enable you to make advanced filters
on a combination of these variables.
Email-based alerts: Send alerts to email inbox,
pager or mobile phone
After an intrusion is detected, LANguard S.E.L.M. can alert one or
more people by email. Because you can configure multiple email
addresses, you can easily set up alerts to be sent to a pager or a
GSM phone. Simply direct the email alert to an email-to-pager or
email-to-SMS gateway service or to locally installed gateway
software. Alerts can be configured based on security level.
Intrusion detection the right way!
Many 'network-based' intrusion detection products are difficult to
deploy because they work by sniffing network traffic. Switches,
traffic encryption (IPsec & SSL) and the sheer high speed of today's
networks make network-based IDS products 'go blind'.
In addition, network-based IDS tools can only look at the bytes of
packets sent over the network and therefore can only monitor for
attacks/patterns recognizable at the network level - a system that
is soon outdated as these patterns are constantly changing. Only a
host based IDS can monitor attacks within the context of operating
system objects like user accounts, groups and files.
LANguard S.E.L.M. analyses Windows NT/2000 event logs and is not
impaired by switches, IP traffic encryption or high-speed data
transfer. Since LANguard S.E.L.M. is based on security logs, it can
detect vital events relating to an attack, such as failed logons,
account lockouts, and more.
No impact on network performance
LANguard S.E.L.M. has a very efficient event log collector agent,
allowing real time collection of security events without impacting
network performance. You can adjust the event collection frequency
for each computer according the computer’s security level and role.
LANguard S.E.L.M. currently only retrieves security event logs. A
version that retrieves all event logs - including application and
system event logs - will be available in Q2 of 2002.
Detect web server intrusion
LANguard S.E.L.M.’s special features for object access auditing
allow you to detect web server intrusion as well track access to
critical files on internal servers.
A partial list of events that LANguard S.E.L.M.
monitors:
-
Kerberos & NTLM authentication events
-
Rights usage and assignments
-
Workstations being accessed remotely
-
Attacks using local user accounts
-
Logon failures occurring in your network
-
Accounts getting locked out
-
Expired user accounts
-
User accounts being created
-
Successful logon of an administrator outside
office hours
-
Account password changes
-
Global & local group members being added
-
New trusted domain
-
User account changed
-
Audit log cleared
