TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hello,
I have read with interest the recent thread on SNMP and Email, I have nothing to add
to this other than to say that the mechanism that Mark suggests works well:
Engine -> Trap -> IT/O -> Escalation via Interface or Email.
Using an Email you can also feed the response into a Problem Tracking database if you
see fit.
===================================================================================
Now I have a question! Especially for those of you who integrate Firewall-1 and
Realsecure from ISS.
If, in addition to other responses we request that the Engine performs an OPSEC
"FIREWALL" response to a Checkpoint Firewall and performs an "Inhibit and Close" on
the source IP address.
How can I be sure that the action is successful?
Looking at the Realsecure data it is very easy to see that, yes, the IDS sent a
request to the firewall (response FIREWALL is sent in the trap)
On the other side how do we know that the firewall actually actioned the request?
Looking at the Checkpoint log we find two entries
(In this case, fwm and fwd are co-located in the test environment)
Entry 1
3679;25Sep2000;19:35:36;ip_of_cpfwm;log;accept;;lan0;inbound;tcp;ip_of_rsengine;ip_of_cpfwm;FW1_sam;4364;44;9;
; ; ; ; ;
Entry 2
3680;25Sep2000;19:36:57;ip_of_cpfwm;control;ctl;;daemon;inbound;;;;;;;;;;;;;SAM
'inhibit + close' (no connections closed) src 202.157.130.32 expire 600 (sent from
ip_of_rsengine to if_of_fwm on port 18183)
It can be seen that the second entry confirms that the Realsecure request is
successful. Also that the log entry is not created in response to a Firewall rule
condition and not directly able to assign an SNMP response on the Checkpoint GUI.
How would I inform Openview via SNMP that the reconfiguration was successful and
reassure operations that the IDS actually worked?
Stephen
Stephen J. Cooper
Senior Systems Analyst
Bank for International Settlements
Phone: +41 61 2806792
Fax: +41 61 2809100
This user's PGP Public Keys can be
obtained from certserver.pgp.com
DISCLAIMER: Any e-mail messages from the Bank for International Settlements are sent
in good faith, but shall not be binding nor construed as constituting any obligation
on the part of the Bank.
CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which is
intended only for the use of the recipient(s) named above. If you have received this
communication in error, please notify the sender immediately via e-mail and return the
entire message. Thank you for your assistance.
