Security Enforcement

Using eTrust Intrusion Detection to Enforce Network Security

eTrust Intrusion Detection includes a number of features that allow you to define and enforce a security policy to protect your company’s network. When defining a security policy, you should decide which clients and servers you want to monitor, which services you want to monitor, and which intrusions and suspicious network activities should be detected.

In eTrust Intrusion Detection your security policies are contained in policy folders which contain the rules for Web access, monitoring/blocking/alerting, intrusion and attack detection, malicious applets and malicious e-mail. eTrust Intrusion Detection checks all the designated traffic for the appropriate situation (condition). When a session matches the conditions in a rule, a predefined action occurs e.g. logging, blocking or alerting.

Alerting and Responding

When a session matches the conditions in a rule, eTrust Intrusion Detection responds with a specific action or combination of actions that alert the appropriate party. The following types of alert and response methods are available in eTrust Intrusion Detection:

Logging event details in the Tree Window Blocking a session Defining a blocking rule Displaying an alert message on the eTrust Intrusion Detection screen Adding event details to the NT event log Starting another program Sending an Email message Sending a fax Adding event details to a file Defining an SNMP trap Sending a message to a pager Exporting to the log file Defining a rule on FireWall-1 Creating a user-defined action Archiving the log files Exporting log files to Telemate Exporting log files to WebTrends Defining actions on a CISCO router Sending a message to an NT workstation

Blocking

eTrust Intrusion Detection allows you to block specific users from using specific servers, or to block access to the following TCP/IP or UDP based services including:

	Email (POP and SMTP)
	Web browsing (HTTP)
	News (NNTP)
	Telnet
	FTP
	NFS
	IMAP

You can also block network games (e.g. Doom and Quake) and customized protocols (e.g. IRC and Point Cast). eTrust Intrusion Detection provides the ability to block or disrupt sessions based on the protocol being used, the origin or destination address, the URL, or the content. eTrust Intrusion Detection can block by rule or in real-time in response to an alert. When a session matches the conditions of a rule, you can also define an action that will dynamically build a new rule to block future sessions with these properties, or terminate a session when an intrusion is detected or a company security policy is violated.

Web Usage Monitoring and Blocking

Uncontrolled access to the Web can have some disadvantages. But, there are also many advantages of properly used Web access. To create a balance, eTrust Intrusion Detection allows you to decide which sites users can access. Using the reports on Web usage, you can choose which categories (e.g. games and dating services) are not work-related and which sites should be monitored according to their ratings. Sites categorized as violence, sex, nudity and language can be rated at different levels of severity.

Email Usage Monitoring and Relevant Rules Definition

By default, eTrust Intrusion Detection logs all incoming and outgoing Email messages, enabling you to view the actual content of the messages. You can also define rules to log or block details of Email messages from or to specific stations and messages that contain certain strings of text e.g. abusive language.