Adash 3600-MPX Podręcznik Użytkownika

Reconnex inSight / iGuard 7.0.0.4 User Guide January 18, 2008 Reconnex Corp

Reconnex Corporation 2 Release 7.0.0.4 The inSight appliance takes over iGuard tasks like customizing policies and assigning privileges to

Reconnex Corporation 92 Release 7.0.0.4 Delete a Policy There are two ways of deleting a policy. Note: You can delete a policy only if you

iGuard/inSight User Guide Release 7.0.0.4 93 If you are not seeing the machine you need to publish a policy to, you must first add that de

Reconnex Corporation 94 Release 7.0.0.4 3. Type in the new name. When you start typing, a Save As button will appear. Before saving, mak

iGuard/inSight User Guide Release 7.0.0.4 95 3. Fill in a new name and description. A Save As button will be added when you start typing

Reconnex Corporation 96 Release 7.0.0.4 3. Save. The policy list that is launched will show the change in ownership in the Owner column. N

iGuard/inSight User Guide Release 7.0.0.4 97 Note: Rule state is especially significant because you cannot run more than 256 active rules.

Reconnex Corporation 98 Release 7.0.0.4 3. Save Search. 4. Give the new rule a name. Important: The characters * % @ + # ? , ' &qu

iGuard/inSight User Guide Release 7.0.0.4 99 1. Go to the Policies tab. 2. Click on a policy. 3. Click on a rule you want to tune, or Ad

Reconnex Corporation 100 Release 7.0.0.4 In this case, you are excluding the Director of Human Resources, anyone on the Human Resources a

iGuard/inSight User Guide Release 7.0.0.4 101 2. Click on the name of the policy to open it. 3. Click on the name of the rule. 4. Select

iGuard/inSight User Guide Release 7.0.0.4 3 Reconnex Architecture Reconnex architecture supports essential 32- and 64-bit platforms which i

Reconnex Corporation 102 Release 7.0.0.4 6. If you have a pre-configured Prevent setup, you may capture identities of Manager, Reviewer,

iGuard/inSight User Guide Release 7.0.0.4 103 15. If you have a pre-configured Prevent setup, you may extend notification by assigning a

Reconnex Corporation 104 Release 7.0.0.4 6. Click on the Action you want to apply. 7. Save. The new action rule is immediately added unde

iGuard/inSight User Guide Release 7.0.0.4 105 4. Confirm or cancel the deletion. What is a Concept? Concepts are pattern-matching devices

Reconnex Corporation 106 Release 7.0.0.4 Consumption CREDIT-REPORT Credit report information identifying agencies DATE-OF-BIRTH Terms perta

iGuard/inSight User Guide Release 7.0.0.4 107 JCB Non-numeric terms pertaining to JCB credit card expression LAST-NAME Terms pertaining to

Reconnex Corporation 108 Release 7.0.0.4 SECURITY-AGENCIES Terms that identify mention of security agency domains, e.g. – nsa.gov, cia.gov,

iGuard/inSight User Guide Release 7.0.0.4 109 6. Upload expressions (optional). Tip: The Upload Expressions function will save you a lot

Reconnex Corporation 110 Release 7.0.0.4 Concept Conditions Applying conditions to concepts you have constructed help you to exert greater

iGuard/inSight User Guide Release 7.0.0.4 111 8. Define the number of bytes from the beginning of the captured object in which you want i

Reconnex Corporation 4 Release 7.0.0.4 Use Cases The standard policies shipped with iGuard contain rules that automatically capture many of

Reconnex Corporation 112 Release 7.0.0.4 \w any alphanumeric \c or \d \W not alphanumeric ^\w \s any space [\ \f \n \r \t] \S not any s

iGuard/inSight User Guide Release 7.0.0.4 113 5. Enter the hostname as it will be found in the header. 6. Save. 7. Verify that the new

Reconnex Corporation 114 Release 7.0.0.4 Now you can add a new element to use your BLOGPOST search in combination with a query for Microso

iGuard/inSight User Guide Release 7.0.0.4 115 To view any incidents that are generated by the rule, go to Monitor and Group by Rule. When y

Reconnex Corporation 116 Release 7.0.0.4 Tip: Click on the template name to see what it contains. Create a Template Searching or creating

iGuard/inSight User Guide Release 7.0.0.4 117 2. Click on Templates. 3. Click on Create New Template. 4. Name and describe the template

Reconnex Corporation 118 Release 7.0.0.4 Now that your template is defined, you can pick it up from the "?" palette launched fr

iGuard/inSight User Guide Release 7.0.0.4 119 Managing the System You can use the System tab on your inSight or iGuard to monitor the healt

Reconnex Corporation 120 Release 7.0.0.4 When iGuard interfaces are silent, no data is flowing through the capture ports. If this is being

iGuard/inSight User Guide Release 7.0.0.4 121 7. Check one or more boxes from the palette to define the alert subcategory. 8. Click on

iGuard/inSight User Guide Release 7.0.0.4 5 Find traffic to and from foreign nationals Loss of intellectual property to emerging markets ha

Reconnex Corporation 122 Release 7.0.0.4 5. Save. 6. Verify that the alert notification is added to the list of recipients that is launc

iGuard/inSight User Guide Release 7.0.0.4 123 1. Create users and user groups. 2. Add an LDAP server (optional). 3. Create LDAP users (o

Reconnex Corporation 124 Release 7.0.0.4 These role-based user groups are supplied only as a suggested uniform framework for multiple user

iGuard/inSight User Guide Release 7.0.0.4 125 8. Click Add to the Current Members pane. 9. Select Update. 10. Verify that the new grou

Reconnex Corporation 126 Release 7.0.0.4 Role-Based Multi-User Access Role-based multi-user access allows assignation of varying levels of

iGuard/inSight User Guide Release 7.0.0.4 127 5. Click the down arrow to display the permissions list. 6. Check or clear the boxes corres

Reconnex Corporation 128 Release 7.0.0.4 6. Update. Tip: If the user doesn't fit logically into the available groups, you must add

iGuard/inSight User Guide Release 7.0.0.4 129 Create a Failover Account If the link between the inSight Console and its iGuards is broken,

Reconnex Corporation 130 Release 7.0.0.4 2. Select the Detail link opposite your username in the navigation bar. 3. Note your Current Gro

iGuard/inSight User Guide Release 7.0.0.4 131 Any of the following actions may be cited on the User Audit Log page. Recognized User Activi

Reconnex Corporation 6 Release 7.0.0.4 3. Select the equals condition. 4. Click on the "?" to launch the values palette. 5. Se

Reconnex Corporation 132 Release 7.0.0.4 15. Modify DHCP server 16. Update DHCP server 17. Delete DHCP server 18. View Capture filter l

iGuard/inSight User Guide Release 7.0.0.4 133 50. Delete user group 51. View group permissions 52. View group task permissions 53. View

Reconnex Corporation 134 Release 7.0.0.4 85. Schedule a policy 86. De-schedule a policy 87. View export schedule search page 88. Downl

iGuard/inSight User Guide Release 7.0.0.4 135 120. View incident annotations 121. View incident cases 122. Modify case 123. Mark incident a

Reconnex Corporation 136 Release 7.0.0.4 155. View risk summary 156. View network summary 157. View case summary 158. View case list Audit

iGuard/inSight User Guide Release 7.0.0.4 137 keep them up-to-date. Audit Log Filtering If you are an inSight administrator, you will want

Reconnex Corporation 138 Release 7.0.0.4 Note: If you want to add more than one item, separate them with a comma (no space). 8. When you

iGuard/inSight User Guide Release 7.0.0.4 139 5. Update. Setup Wizard Method 1. Go to System > System Administration. 2. On the list

Reconnex Corporation 140 Release 7.0.0.4 What are Capture Filters? There are two capture filter types. They are generally used to define si

iGuard/inSight User Guide Release 7.0.0.4 141 Drop Element excludes all data associated with an element. For example, your network may hav

iGuard/inSight User Guide Release 7.0.0.4 7 12. Select Group by Detail from the dashboard header. This will give you a graphical picture

Reconnex Corporation 142 Release 7.0.0.4 This filter excludes images in BMP and GIF formats. Ignore HTTP Gzip Responses This filter exclu

iGuard/inSight User Guide Release 7.0.0.4 143 This filter excludes Server Message Block/NETBIOS traffic. Ignore SSH Traffic This filter e

Reconnex Corporation 144 Release 7.0.0.4 8. Define the protocol. In this example, you are eliminating video file types that are being tr

iGuard/inSight User Guide Release 7.0.0.4 145 Create a Network Capture Filter Designing a network capture filter requires experimentation,

Reconnex Corporation 146 Release 7.0.0.4 8. Save. The list of filters will be launched. 9. Verify that the new filter has been added to

iGuard/inSight User Guide Release 7.0.0.4 147 10. Reprioritize the order in which the filters will run. Remember, the Base filter must b

Reconnex Corporation 148 Release 7.0.0.4 Filters that define larger amounts of traffic should be placed at or near the top of the list. For

iGuard/inSight User Guide Release 7.0.0.4 149 3. Select the filter you want to activate. 4. Verify that the filter has been added to the

Reconnex Corporation 150 Release 7.0.0.4 Modify a Capture Filter To modify a capture filter, just click on its name and edit its properties

iGuard/inSight User Guide Release 7.0.0.4 151 Conversely, transport of large-sized files may indicate inappropriate usage of network resou

Reconnex Corporation 8 Release 7.0.0.4 4. If you have an idea if when the leak may have occurred, select a time period. 5. Search. Your

Reconnex Corporation 152 Release 7.0.0.4 To identify such a problem, it would only be necessary to store the metadata indicating that large

iGuard/inSight User Guide Release 7.0.0.4 153 8. Verify that the new filter is listed in the window that is launched. CIDR Classless Inte

Reconnex Corporation 154 Release 7.0.0.4 3. Indicate the device on which you want the filter deployed. If you want to decide later, you c

iGuard/inSight User Guide Release 7.0.0.4 155 10. Save. 11. Verify that the new filters are listed in the window that is launched. 12.

Reconnex Corporation 156 Release 7.0.0.4 Advanced Utilities You can run Linux, SQL or RFS Reconnex File Systemcommands in real time by goin

iGuard/inSight User Guide Release 7.0.0.4 157 Statistic Description Life Seconds since the flow was created Stale Seconds since the last pa

Reconnex Corporation 158 Release 7.0.0.4 2. Click on the name of a log to launch it. 3. Copy and paste the contents of a log into a text

iGuard/inSight User Guide Release 7.0.0.4 159 Managing Disk Space The Reconnex File System (RFS) divides the iGuard disk (depending on your

Reconnex Corporation 160 Release 7.0.0.4 WARNING: Changing a wiping policy can have unpredictable results. Before doing this, consult Recon

iGuard/inSight User Guide Release 7.0.0.4 161 4. On your Active Directory Server desktop, go to Start > Administrative Tools > Activ

iGuard/inSight User Guide Release 7.0.0.4 9 Digest Search To find a specific document, you can generate a compact digital signature from th

Reconnex Corporation 162 Release 7.0.0.4 3. Add the server name or IP address. 4. Add the server port number. 5. Add the timeout inter

iGuard/inSight User Guide Release 7.0.0.4 163 15. To edit the settings, select Detail. The Server Information dialog box will launch. It

Reconnex Corporation 164 Release 7.0.0.4 You may want to narrow that query by using metacharacters combined with text. This will retrieve

iGuard/inSight User Guide Release 7.0.0.4 165 4. Select one or more groups for the new user(s) and Add. Note: User permissions are assig

Reconnex Corporation 166 Release 7.0.0.4 Managing Devices The inSight Console controls all other Reconnex devices on your network. This inc

iGuard/inSight User Guide Release 7.0.0.4 167 Note: It takes a few minutes to register the device. The Registration icon shows that regis

Reconnex Corporation 168 Release 7.0.0.4 The Utilities page will be launched. 3. Scroll down to the bottom of the page. 5. Select De-re

iGuard/inSight User Guide Release 7.0.0.4 169 Contact Technical Support For troubleshooting assistance, you can contact Reconnex Technical

Reconnex Corporation 170 Release 7.0.0.4 Power Redundancy To ensure redundancy on the 1650 and 3650 appliances, both power supplies must b

iGuard/inSight User Guide Release 7.0.0.4 171 Mechanical Loading Mounting of the equipment in the rack should be such that a hazardous cond

Reconnex Corporation 10 Release 7.0.0.4 5. Click on the "?" to launch the Values palette. 6. Select Crypto from the Protocol li

User Guide for inSight/iGuard Release 7.0.0.4 171 Index A Account Information, 126 Action Rules create, 99 define, 99 delete, 102 modify, 101 A

Reconnex Corporation 172 Release 7.0.0.4 I iGuard Architecture, 3 features, 1 Reconnex Solution, 1 Incidents customize report, 26 delete, 33 Det

User Guide for inSight/iGuard Release 7.0.0.4 173 by user ID, 79 Command Line, 57 compound queries, 67 country codes, 60 distributed, 67 filters

iGuard/inSight User Guide Release 7.0.0.4 11 Find FTP Traffic Containing Source Code If you have an employee who is leaving the company, y

Reconnex Corporation ii Release 7.0.0.4 Copyright ©2008 by Reconnex Corporation. All rights reserved. Reconnex™ is the trademark of Reconnex Corpo

Reconnex Corporation 12 Release 7.0.0.4 You can narrow the search if you know what kind of compression may have been used on the file(s).

iGuard/inSight User Guide Release 7.0.0.4 13 FTP is commonly used to transmit large files, but other transport protocols can be selected f

Reconnex Corporation 14 Release 7.0.0.4 Find Postings to Social Networking Sites Employees sometimes post personal information to popular o

iGuard/inSight User Guide Release 7.0.0.4 15 NOTE: You can just type the concept into the Value field if you prefer. 7. Apply. 8. Search

Reconnex Corporation 16 Release 7.0.0.4 done using Source and Destination IP addresses, whichhelp you to identify where your traffic is com

iGuard/inSight User Guide Release 7.0.0.4 17 When you find related results, you can filter them to reveal additional patterns and give you

Reconnex Corporation 18 Release 7.0.0.4 Find Traffic to Gambling or Adult-Oriented Sites Use of the Internet in the workplace has the poten

iGuard/inSight User Guide Release 7.0.0.4 19 Note: If you select more than one concept, a logical OR condition is implemented. This is ind

Reconnex Corporation 20 Release 7.0.0.4 Find Transmission of Financial Information Searching using iGuard's standard concepts is a qu

iGuard/inSight User Guide Release 7.0.0.4 21 These concepts contain words and phrases that identify a broad range of financial content. Yo

iGuard/inSight User Guide Release 7.0.0.4 iii Contents The Reconnex Solution ...

Reconnex Corporation 22 Release 7.0.0.4 Investigate a User's Online Activity You may need to monitor online activity for an employee

iGuard/inSight User Guide Release 7.0.0.4 23 . 6. Click Search. You may prefer to target the search for specific elements by using a more

Reconnex Corporation 24 Release 7.0.0.4 But when you get the results of the search you are using to create the rule, you notice that your F

iGuard/inSight User Guide Release 7.0.0.4 25 Using the System If you are using an inSight Console, you are the central management point for

Reconnex Corporation 26 Release 7.0.0.4 Custom Dashboard Viewing You can rearrange the columns of the dashboard to give you the informatio

iGuard/inSight User Guide Release 7.0.0.4 27 Note: The Details column is crucial if you want to drill down into your results to access the

Reconnex Corporation 28 Release 7.0.0.4 Get Incident Details When you open an incident, you can drill down into the item displayed to get m

iGuard/inSight User Guide Release 7.0.0.4 29 3. If there is another link within that document, click it. The last link you are able to se

Reconnex Corporation 30 Release 7.0.0.4 5. Click on the Concepts tab above the Incident Details. If a concept was used to flag an incide

iGuard/inSight User Guide Release 7.0.0.4 31 Sort Incidents Use the Actions menu to sort any incident or group of incidents into a configur

Reconnex Corporation iv Release 7.0.0.4 Managing Cases ...

Reconnex Corporation 32 Release 7.0.0.4 Find Transmissions between Users 1. Enter DestinationIP equals and enter an IP address. 2. Filte

iGuard/inSight User Guide Release 7.0.0.4 33 Find Office Document Violations 1. Select Content equals from the first two drop-down menus.

Reconnex Corporation 34 Release 7.0.0.4 Alternatively, you can mark them as false positives or mark for deletion later. Filter by Time B

iGuard/inSight User Guide Release 7.0.0.4 35 Tip: If you are not getting results from a query, try resetting your timestamp filter. Besid

Reconnex Corporation 36 Release 7.0.0.4 You can combine timestamp settings with Group by... attributes to expand your options. Filter by G

iGuard/inSight User Guide Release 7.0.0.4 37 This example shows that the Content grouping has been focused on Filename and Protocol, produ

Reconnex Corporation 38 Release 7.0.0.4 Now that you see these violations listed, you may want to find out additional information - such a

iGuard/inSight User Guide Release 7.0.0.4 39 In this example, the user typed in "yahoo.com" to ask the system if any of the numb

Reconnex Corporation 40 Release 7.0.0.4 Save a Report When you save a report, you are either exporting it to save its content or storing th

iGuard/inSight User Guide Release 7.0.0.4 41 My Reports The reports listed under Monitor > My Reports may have been scheduled for you, o

iGuard/inSight User Guide Release 7.0.0.4 v Use Logical Operators ...

Reconnex Corporation 42 Release 7.0.0.4 Just check the box of the report you want to share and check the names of the users on your team wh

iGuard/inSight User Guide Release 7.0.0.4 43 3. Add a new filter by clicking on the green plus sign. 4. Enter Policy and equals in the f

Reconnex Corporation 44 Release 7.0.0.4 4. Pull down the File menu and print, save the page, import or send a link to it. Once you have c

iGuard/inSight User Guide Release 7.0.0.4 45 3. Update. 4. Select Report Options. 5. Select Export as PDF from the menu. Note: By def

Reconnex Corporation 46 Release 7.0.0.4 Your company information appears at the bottom of the report.

iGuard/inSight User Guide Release 7.0.0.4 47 6. Save a copy, print, zoom, or process your report using any of the other Adobe toolbar ico

Reconnex Corporation 48 Release 7.0.0.4 3. Enter the sender and recipient email addresses. For multiple addresses, use a comma with no sp

iGuard/inSight User Guide Release 7.0.0.4 49 Just check the box of the report you want to share and check the names of the users on your t

Reconnex Corporation 50 Release 7.0.0.4 Create a Case from the Incident List 1. To create a case from the Incident List, just select the i

iGuard/inSight User Guide Release 7.0.0.4 51 After you Apply the case, the Case List launches, showing you that the case has been added to

Reconnex Corporation vi Release 7.0.0.4 System Monitor ...

Reconnex Corporation 52 Release 7.0.0.4 3. Apply. After you Apply the case, the Case List launches, showing you that the case has been ad

iGuard/inSight User Guide Release 7.0.0.4 53 4. Enter Case Details. 5. Apply. The Case List will launch, displaying the new case. Export

Reconnex Corporation 54 Release 7.0.0.4 Note: Processing time depends on the size of the file. If you have to wait for completion of the e

iGuard/inSight User Guide Release 7.0.0.4 55 Then you notice that two American Express numbers were located by another regulatory policy,

Reconnex Corporation 56 Release 7.0.0.4 The Case Details window will launch under the case to which the incident has been assigned. 5. U

iGuard/inSight User Guide Release 7.0.0.4 57 Change Owner of a Case 1. Go to the Case tab. 2. Select Details for the case you want to mod

Reconnex Corporation 58 Release 7.0.0.4 4. Select the new resolution. 5. Apply. Change Status of a Case 1. Go to the Case tab. 2. Sele

iGuard/inSight User Guide Release 7.0.0.4 59 Command line identifiers can be used alone or as part of a complex query. Example: Find Wor

Reconnex Corporation 60 Release 7.0.0.4 Protocol Option proto: Search by protocol Example On the Basic Search > Custom line, enter the

iGuard/inSight User Guide Release 7.0.0.4 61 concept: Search by concept Example On the Basic Search > Custom line, enter the concept ide

iGuard/inSight User Guide Release 7.0.0.4 vii View Objects ...

Reconnex Corporation 62 Release 7.0.0.4 Central America and the Caribbean Anguilla AI Antigua and Barbuda AG Aruba AW Bahamas BS Barbados

iGuard/inSight User Guide Release 7.0.0.4 63 Middle-East and Asia Afghanistan AF Armenia AM Azerbaijan AZ Bahrain BH Bangladesh BD Bhutan B

Reconnex Corporation 64 Release 7.0.0.4 Palestinian Territory PS Philippines PH Quatar QA Saudi Arabia SA Singapore SG Sri Lanka LK Syrian

iGuard/inSight User Guide Release 7.0.0.4 65 Norfolk Island NF Northern Mariana Islands MP Palau PW Papua New Guinea PG Samoa WS Solomon Is

Reconnex Corporation 66 Release 7.0.0.4 Ghana GH Guinea GN Guinea_Bissau GW Kenya KE Lesotho LS Liberia LR Madagascar MG Malawi MW Mali ML

iGuard/inSight User Guide Release 7.0.0.4 67 Antarctica Antarctica AQ Bouvet Island BV Heard Island and McDonald Islands HM Europe Albani

Reconnex Corporation 68 Release 7.0.0.4 Malta MT Moldavia MD Monaco MC Netherlands NL Norway NO Poland PL Portugal PT Romania RO Russian

iGuard/inSight User Guide Release 7.0.0.4 69 Yahoo version 8.1.0.421 • AOL version 4.7.2517 • MSN/Windows Live messenger 8.1.0178 •

Reconnex Corporation 70 Release 7.0.0.4 Alternatively, you can use the expression condition to type in the name of a standard or custom

iGuard/inSight User Guide Release 7.0.0.4 71 Note: If you are entering these content types manually, they must be typed exactly as they app

Reconnex Corporation 72 Release 7.0.0.4 Content Types Formats C++_Source, Cobol_Source, FORTRAN_Source, Java_Source, JavaScript, LISP_Sourc

iGuard/inSight User Guide Release 7.0.0.4 73 iGuard assigns three tokens to each email address: the username, hostname, and domain name. By

Reconnex Corporation 74 Release 7.0.0.4 Search by IP Address You can search for individual IP addresses, a subnet, or a range of addresses.

iGuard/inSight User Guide Release 7.0.0.4 75 Find all of the words In this search, the AND operator is implied. Because the query does not

Reconnex Corporation 76 Release 7.0.0.4 Find at least one of the words \

iGuard/inSight User Guide Release 7.0.0.4 77 Without the words Search by Location To search by location, go to Capture > Basic Search &

Reconnex Corporation 78 Release 7.0.0.4 Search by Port Number Because IANA (Internet Assigned Numbers Authority) maintains a list of well-k

iGuard/inSight User Guide Release 7.0.0.4 79 Search by Protocol Searching for a protocol in captured results will return all traffic transm

Reconnex Corporation 80 Release 7.0.0.4 Search by Time All objects captured by iGuard are time-stamped. Defining a time period will narrow

iGuard/inSight User Guide Release 7.0.0.4 81 Search by User ID If you know a user's handle, you can search for it. Go to Capture >

iGuard/inSight User Guide Release 7.0.0.4 1 The Reconnex Solution Reconnex iGuards are at the heart of the Reconnex solution. They intelligentl

Reconnex Corporation 82 Release 7.0.0.4 Once it is created, you can then use that template repeatedly instead of creating the same query m

iGuard/inSight User Guide Release 7.0.0.4 83 4. Apply. 5. Search. Search Limitations Like other search engines, iGuard has some capacit

Reconnex Corporation 84 Release 7.0.0.4 /> ]]> markup * control characters / escape characters If you enter any of these characters

iGuard/inSight User Guide Release 7.0.0.4 85 If your search takes more than 30 seconds to complete, the process will be backgrounded and y

Reconnex Corporation 86 Release 7.0.0.4 You can develop that template by experimenting with multiple search terms. The following example c

iGuard/inSight User Guide Release 7.0.0.4 87 Examples mailfrom:John AND mailto:Mary + "Confidential" subj:"Technical Suppor

Reconnex Corporation 88 Release 7.0.0.4 What are Policies? Policies are sets of rules that search your data stream for specific incidents o

iGuard/inSight User Guide Release 7.0.0.4 89 Electronic Risk Modules (ERMs) ERMs Electronic Risk Modules refer to packages of standard poli

Reconnex Corporation 90 Release 7.0.0.4 Think of the inheritance state as a toggler. If a rule's Inherit Policy State is Enabled, it m

iGuard/inSight User Guide Release 7.0.0.4 91 4. Select an activation state. 5. Select a publication state by checking a deployment box un