Network Intelligence Adds iSeries Monitoring to Security Appliances

Network Intelligence is the latest company to join the ranks of security providers serving the iSeries platform. Last month the Massachusetts company, driven by new regulations mandating good security practices among public companies, unveiled a new release of enVision, the software that powers its line network security appliances that can now monitor OS/400 logs for things like failed sign-on attempts and changes to system settings, which could be indicators of a security breach.

Network Intelligence uses the term “security event management,” or SEM, to describe what its three lines of Network Intelligence Engine appliances do. What gives Network Intelligence an edge over other SEM vendors is its capability to gather, view, sort, and report on security events happening across its customers’ entire networks from a central location, claims Jack Sweeney, the CEO of Network Intelligence.

“We are the first SEM vendor to offer a global view of this data from one location,” Sweeney said in reference to enVision version 2.102, which shipped at the end of March. These are big words claiming first-to-market credibility in what’s become a very competitive field of software, but then again, this is a big release for Network Intelligence.

In addition to support for OS/400, enVision 2.102 adds security event monitoring for other popular operating systems, applications, and network devices, including IBM‘s z/OS and OS/390 mainframe operating systems and WebSphere 5.0 (on AIX only) middleware, Microsoft‘s IIS Web server and ISA Server firewall software, the Apache Web server, RSA Secure ID authentication software, Tipping Point Unity One intrusion detection systems, antivirus software from Symantec and Trend Micro, and Juniper SSL/VPN appliances. In total, the company can gather and analyze security event data from 88 devices and pieces of software. To open a new window listing all supported devices, click here.

OS/400 Support

With enVision 2.102, Network Intelligence gains the capability to monitor, correlate, and report on security-related activities occurring on OS/400 servers. This data is presented through the enVision interfaces and made available for analysis and generation of reports and graphs, along with security event data gathered from all other devices supported by the product.

enVision watches the OS/400 audit journal for changes and activities logged by an OS/400 server. This data is then transmitted to the Network Intelligence appliance using FTP. OS/400 V5R1 or higher is required.

The product is geared to pick up on 24 different security events on OS/400 servers, including audit changes and failures, invalid passwords, log-in and log-outs, changes to user profiles, the creation and deletion of objects, jobs by systems and jobs by users, and more. In addition to these events, enVision includes five canned “top 20” reports, presenting the top 20 jobs, top 20 systems, top 20 users, top 20 programs, and top 20 entry types. Click here to pull up a new window listing all OS/400 events monitored by enVision.

Network Intelligence says it built OS/400 support into its offering to meet market demand and to fulfill its cross-platform strategy. “It aligns with our strategy to collect events from all disparate elements on a network for compliance and security purposes. Operating systems are crucial in this strategy,” a company spokesperson says. “In the past the focus was Microsoft and Unix platforms, but now we see a need to support other types of operating systems such as mainframes an midrange systems.”

Security Engines

Network Intelligence sells three lines of security appliances. All of them feature x86 processors, a “security-hardened” and embedded version of Windows 2000 Server, and an array of redundant and hot-swappable components, including disks, fans, and power supplies.

The largest of Network Intelligences’ appliance offerings is the LS series, a three-part cluster of appliances designed for large enterprises and service providers with geographically dispersed operations. The three appliances that make up an LS series cluster include the remote and local collectors, an application component that runs the enVision OS and analysis tools, and a database component that runs the LogSmart software, which provides access to event data as if it resided locally. The LS series can be scaled up to manage events from over 3,000 separate network devices at a rate of more than 30,000 sustained events per second (EPS) per LS series cluster, the company says.

The HA Series (for high availability) is a collection of integrated, stand-alone appliances designed specifically for security duty. These appliances include built-in collector software and the enVision OS, and are available in six configurations that range from 320GB and 2500 sustained EPS across more than 250 devices, to 630GB of storage and 7,500 sustained EPS across more than 1,000 devices.

The entry-level EX Series is also a stand-alone series of appliances with all the necessary software built in. Two EX Series appliances are available, one which offers 500 sustained EPS across 64 devices, and another that offers 1,000 sustained EPS across 128 devices.

Users interact with Network Intelligence appliances through the Windows-based enVision OS and the associated tools, which are accessed using Web browsers. Initial setup and configuration is done through the Administration module. The Alert Monitor console allows users to create filters and customize how they receive alerts (by groups or by device), while the Alert Browser tells users about actions suggested by device vendors and keeps track of events under review. The Dashboard component is used to monitor the performance of the Network Intelligence monitoring itself.

The enVision Event Viewer lets users watch security log data as it streams in from monitored devices, and provides some analysis of previously recorded log files, while the LogSmart Viewer adds more “forensic” capabilities, and graphing of event log data, too. For more detailed analysis, Network Intelligence provides its Query component, which allows users to search multiple databases simultaneously, and exports results in comma delineated format. The ReportVU component rounds out the company’s analysis tools with 150 canned reports; users can also modify and build new reports with ReportVU.

enVision 2.102 brings several other enhancements, including a new compliance and security dashboard that allows users to view the status of multiple networks and locations concurrently in real-time, and a new asset management and correlation facility, which helps users correlate network traffic and prioritize alerts.

enVision runs across all EX, HA, and LS appliances. Pricing for the EX device starts at $20,000, while the HA and LS devices start at about $60,000 and $200,000, respectively. There is no additional cost for the iSeries monitoring and reports. For more information, visit www.network-intelligence.com.