The firewall is an essential network protective control. It is the "traffic cop" of your network. Ra Security Services (RSS) uses a firewall to record the information security and acceptable use policies of your company. We start from a position of denying all traffic by default and then allowing what is permitted by policy or business needs. This applies to traffic coming from the Internet as well as traffic originating from inside your network. This approach maximizes the protective value of your firewall while at the same time giving priority to your legitimate business network traffic.
RSS' RaBox network secuity appliance is a managed IPS service that combines the robustness of the Ra Firewall and the detective capabilities of NSM (Network Security Monitoring) with the intelligence of human experience. Most IPS devices simply act on a list of signatures and heuristics to decide if a specific network intercept is malicious. This is why conventional IPS devices are frequently either completely ineffective or dangerously errant, often blocking legitimate business related traffic. In addition, if an attacker understands how an IPS device will consistently react, the attacker can use that knowledge to subvert the device and use it to attack or deny service to legitimate users.
RaBox equipped devices allow known malicious traffic to be stopped at the network border. This includes inter-office locations, third party networks and the public Internet. The devices do not categorically block activity, rather, they block specific network activity as instructed by a human analyst. This eliminates machine predictability and increases the level of difficulty for the attacker.
NSM is a variant and improvement upon traditional IDS. Typically, an IDS filters network traffic and generates alert messages based on a set of rules and/or signatures indicative of malicious activity. Alerts include some or all of the original data that triggered the rule and in some cases some event related meta-data.
By contrast, NSM stores the entire network data stream in a continuous loop at all times, much like a security video camera and Digital Video Recorder (DVR) at a bank. The IDS rules are processed against the stored data in near real time and alerts are generated and managed on an integrated security console. Because the data are retained and the meta-data stored in a database, an analyst can go back in time, more than a week in most cases, while investigating a security event. Entire network streams and conversations can be recreated and extracted from the NSM system giving the analyst a tremendous advantage compared to traditional IDS. Because the data are stored, once a malicious activity or pattern of abuse is identified, it is possible to search the entire enterprise for related events and then act on them.
The RaBox Wireless Monitoring Option is wireless monitoring using a device capable of detecting unassociated WiFi network clients, rouge access points as well as other forms of abuse. The RaBox Wireless Monitoring Option can also be used to conduct routine tests on legitimate access points.
By regularly performing vulnerability scans, your company will gain valuable insight into the condition of your networked information systems. Over time, the data collected will depict trends indicative of the effectiveness of patching and configuration management processes across the enterprise. Critical hosts, such as servers, are scanned at a higher frequency than non-critical hosts, such as user workstations. Scan reports are consolidated into an easy to read format, including analytical commentary where applicable.
Most malicious software uses DNS to map domain names to Internet IP addresses. Malware such as bots and spyware are changed frequently to avoid detection by anti-virus products. The domain names are more difficult to change even though the attacker may be frequently moving the physical location of the control server. The RSS Black Hole DNS service is a continuously updated collection of domain names known to be malicious. The server intercepts the DNS request from the client computer and forcibly resolves known malicious domains to non-routeable network addresses. This effectively neutralizes the communications between the malware and it's controller. The Black Hole service works independently of the host based anti-virus software's presence or effectiveness. In addition hosts on your network identified trying to resolve a known malicious domain are reported to you so that the malicious software can be identified and removed.
External Service and Content Monitoring
RSS will monitor exposed Internet services such as Email, FTP, Web Servers etcetera for availability across the public Internet. Public web content such as index pages are monitored for unexpected changes often indicative of a defacement. This service is often the first indication of a systemic problem with a public service even if the problem is not related to malicious activity.
The RaBox appliances installed on your network are capable of receiving log files from both infrastructure devices and hosts via syslog. This service is not performed regularly, rather the capability is retained but is used only during periods of specific analysis such a attack mitigation or digital investigations.
RSS maintains the ability to detect files system changes on both Windows, UNIX and Apple hosts (> OSX). This service will not be performed regularly rather on an ad-hoc basis during times of attack mitigation or digital investigation.