Overview of MSS System Human Actors Non-Human Actors In-house developed components Third party products

Human Actors MSSP Admin MSSP User (Operator) MSSC User

Non-Human Actors Firewall device (at client site)

Firewall device deployed at client network. Access deny log are collected and analysis

IDS/IDP device (at client site) IDS/IDP device deployed at client network. SNMP Trap of detected intrusion are

collected and analysis Device / Workstation (at client site)

SNMP Polling target

In-house Developed Components Alarm Console (Web application)

UI for MSSP, who can perform the following task

Monitoring alarm and create Event Configure data collection and alarm detection Managing client profile

Client Portal (Web application) UI for MSSC Read and update Events Read Vulnerability/Virus News, Daily/Monthly

Report

In-house Developed Components (Cont) Client Agent Daemon (LOC: client network)

Collecting Firewall / IDS log Performing SNMP Poll (performance monitor)

Core Agent Daemon (LOC: MSSP network) RBL checking, initiate vulnerability scan, etc

Core Engine (LOC: MSSP network) Headless, JavaEE components (MDB) Collect records from agent, Perform alarm detection

Third Party Products RHEL 4.0

OS for all server (including agent server) MySQL Database

Store configuration, record, alarm, and event RRD file storage

NFS file share RRD for trend based performance data

Apache ActiveMQ Provide messaging network (MOM)

Sun Java System Application Server 9 SJSAS or App Server in short Alarm Console and Client Portal are deployed Core Engine is deployed

Third Party Product (cont) Email gateway (SMTP relay)

Notification mail are sent via this gateway SMS message gateway

Notification SMS are sent via this gateway Nessus

Provide vulnerability scanning Vulnerability Scan require this service to function

RBL checking service Provide RBL checking service RBL Monitor require this service to function

Third Party Product (Impl Level) Hibernate (JPA Provider) Facelets, Ajax4jsf SpringFramework (Integration and AOP) Quartz scheduler AcegiSecurity CAS (Central Authentication System) Swiff chart generator (Flash graph generator) iReasoning SNMP library Maven (Build system)

Third Party Product (SCM) Subversion (Source version control) Trac (Wiki, notes and docs for devs)

Data FlowInteraction between components1. MSSP admin update monitoring config2. Alarm Console send updates to Agent Daemon3. Agent Daemon update monitoring config4. Agent Daemon resume collecting and submitting reco

rds to Core Engine5. Core Engine collect record and save to DB6. Core Engine perform alarm detection

1. Update existing alarm, OR2. Create new alarm, OR3. Do nothing

7. User access console8. Alarm Console display active Alarms

Firewall / IDS Log Analysis Admin define log collection config and alarm polic

y Firewall forward log via syslog to Agent Server Syslog daemon will forward to named pipe Agent Daemon collecting log from named pipe Agent Daemon select parser, parse the log, submit

the log to Core Engine Core Engine collect the log, post-process

Timer wake up per 3 minutes (configurable) To perform alarm detection (by alarm policy)

Performance Monitoring Admin define monitor configuration and alarm policy

Like OID, DeviceIP, SNMP parameter Threshold, etc

Agent Daemon periodically issue SNMP poll and do Ping

Agent Daemon submit performance data Core Engine collect performance data Data are saved in RRD (trend based) or Database (stat

e based, ping result) Core Engine try to detect alarm

Vulnerability Scanning Admin issue initial scan request Agent Daemon perform vulnerability scan (via Nessus) Agent Daemon submit the scan result to Core Engine Core Engine save the scan result Admin check initial scan result, define baseline Admin make regular scanning schedule Agent Daemon perform scheduled scanning and submi

t result to Core Engine Core Engine collect result and match against baseline If result not matching Baseline, create Alarm

RBL Monitoring Admin define monitoring host

(IP/hostname) Admin define filter Agent Daemon perform RBL query Agent Daemon submit result to

Core Engine Core Engine filter the result Core Engine create Alarm

Vulnerability News Watching (CVE Watching) MSSC users define subscription Agent Daemon download and parse CVE entries per

day news Agent Daemon submit updated entries to Core

Engine Core Engine save the entries Core Engine check entries against users

subscription MSSP Admin check the news entry MSSP Admin MAY update OR ignore the news entry MSSP Admin notify client about new CVE MSSC user read the CVE

Virus News Watching Similar to Vulnerability News

Watching However, there are no external

source for download Human input only

Service Monitoring Monitor security device are

properly functioning Not yet implemented

Watch Dog Monitor internal components Not yet implemented. Initial ideas

JMX (Java based components) and ICMP

Notification + Alarm creation…

Record, Alarm and Event Agent Daemon support record Core Engine detect alarm Alarm Console create Event (on

behalf of MSSP users) Each module defined the Record

type and Alarm type

Other functions Notification System

Event change trigger notification message

Reminder messages Reporting

Daily / Monthly