 Management and Analytics Security Management

NSE 1: Management and Analytics

Study Guide
NSE 1: Management and Analytics Study Guide
Last Updated: 8 April 2016

Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents

MANAGEMENT AND ANALYTICS.....................................................................4

Security Management .............................................................................................................4

Managing the Security Console....................................................................................................................6

Policy and Security..................................................................................................................7

Analytics ..................................................................................................................................9
Security Information and Event Management...............................................................................................9
Network Visibility ..........................................................................................................................................10

Summary .................................................................................................................................11

KEY ACRONYMS ...........................................................................................12

REFERENCES ...............................................................................................13
  Management and Analytics Security Management

Management and Analytics

Additional NSE1 lessons provide insight into how hardware and software work to protect systems and
networks from legacy, modern, and emerging threats. This continued technology evolution allows users to
conduct business, participate in commerce, maintain communications across the globe, and manage
personal affairs with minimal interruption or threat of critical information vulnerability and loss. This
module provides a discussion on how effective management through the use of analytic tools allows
system and network administrators to optimize the secure environment users have come to expect—and
upon which businesses and global commerce rely.

Security Management
Simply stated, security management exists at the region where the
scope of IT security and IT operations meet.
As organizational structures grow in size and complexity, the
tendency is for more network resources—machines, servers, routers,
etc.—to be deployed. As the network grows, so also does the scope
of potential threats to the secure and efficient operation of the network to meet organizational goals. With
the global nature of modern business and e-commerce, the sheer number of branch and remote
locations—and managed devices—make a consolidated network security management essential for
effective IT administration. To this end, the primary goal of security management is to reduce security
risks by ensuring that systems are properly configured—or hardened—to meet internal, regulatory, and/or
compliance standards. Security management is a software-based solution that integrates three primary
elements:
Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses
that a cyber-attacker could exploit.
Automated Remediation. Allows automated correction of faults or deficiencies—vulnerabilities—
identified in the assessment process. Provides reports and tools to track vulnerabilities that must be
remediated manually.
Configuration Management. Evaluates the security of a network’s critical servers, operating systems,
application-level security issues, administrative and technical controls, and identifies potential and actual
weaknesses, with recommended countermeasures.
IT managers are faced with challenges that range from simple codes to threats hidden in secure packets
designed to target cloud-based applications. Modern and emerging future threats present dynamic and
potentially complex challenges to network security demanding comprehensive, complex security
solutions. Unfortunately, studies have shown that the more complex administrative functions become,
the less likely that network administrators will spend the requisite amount of attention to the various
apparatus and displays. For this reason, consolidating security management into a single console
enabling monitoring and management of network security was developed. Through this integrated
monitoring and control solution, IT managers may address the following issues:
Device Configuration. Manages the configuration of each device on the network and maintains the
system-level configuration required to manage the network environment. This includes monitoring
device firmware to ensure it is kept up to date.
Firewall Policy. Provides viewing and modification of firewall configurations—access rules and
inspection rules—in the context of the interfaces whose traffic is filtered.

NSE 1: Management and Analytics Study Guide 4

  Management and Analytics Security Management

Content Security Policy. Computer security technique to prevent cross-site scripting (XSS) and related
application-level attacks. It provides a standard HTTP header allowing website administrators to
determine approved sources of content that browsers may load on designated pages. Covered types
include JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets,
ActiveX, audio, and video files.
A conceptual diagram of security management is illustrated in Figure 1 below:

SM SM SM
Analyst Console Database

SM – Monitored Devices

Figure 1. Security Management (SM) conceptual diagram

The primary goal of security processes is to provide high availability for the network, implying redundancy
and fault tolerance managed by the network security solution. In small and medium business (SMB)
networks and many large and distributed enterprise networks, network security may be provided by a
managed security service provider (MSSP) for a number of reasons. To facilitate effective network
security management, MSSPs and network administrators must have access to essential features that
enable them to provide protection to the network as a whole and the data contained therein. Three
principles drive these essential features: segmentation, scalability, and high performance.
Segmentation. Multi-tenancy architecture is one in which the single instance of a software application
serves multiple customers, with each customer being referred to as a tenant. The key purpose of multi-
tenancy is segmenting customers in a managed service provider environment to efficiently provide
security services. Tenants have limited capabilities within the application, such as choosing interface
colors or business rules, but have no access to application code. Administrative domains (ADOMs) are
virtual domains used to isolate devices and user accounts. This enables regular user accounts visibility
only into those devices and data that are specific to their ADOM, such as a geographic location or
business division.
Scalability. Virtual firewall positioning & deployment. Very few organizations use 100% physical or
100% virtual IT infrastructure, necessitating deployment of interoperable hardware and virtual
appliances in security strategies. For both of these deployment options, control through a centralized
panel provides ease of operation to security administrators while enabling the use of complex
measures to counter modern and emerging complex threats. Virtual domains (VDOMs) offer
virtualized security scaling from SMB to large and distributed enterprise networks by rapid deployment
within existing infrastructures. [1]
High Performance. Because security management spans the scope from home networks to SMB to

NSE 1: Management and Analytics Study Guide 5

  Management and Analytics Security Management

large and distributed enterprise networks, security management must be able to be customized to meet
the needs of each level of operation. For example, the Application Program Interface (API) specifies how
software components should interact and are used when programming the graphical user interface (GUI),
allowing visibility of the customized network functions. Automation is important especially for large and
distributed enterprise networks, providing an automated workflow enabling users to approve, deny, defer,
or even execute remediation of configuration errors, potentially saving considerable time and effort.

Managing the Security Console

Network security management includes both hardware and software appliances and virtual machine (VM)
capabilities. They may be deployed as physical network security appliances, virtual appliances, or
software packages. Flexible interfacing allows IT administrators to address the management system via a
command line interface, web-based graphical user interface, or programmatically using JSON/XML
requests (scripting, customization, etc.). This provides network security flexibility for a wide range of
network sizes, from home networks and SMB up to large and distributed enterprise networks that are
geographically separated.
The most important function commonly associated with a security management solution is maintaining
firewall policies across a distributed enterprise. In large and distributed enterprise environments, security
management and reporting/compliance functions are usually separated, with local personnel managing
local nodes and a central site having visibility over configuration compliance, generally from the data
center at the corporate headquarters or designated IT management division.
Given the wide range of network security device deployment options, network security consoles are
typically licensed based on the number of devices they will be managing. This provides tailored, flexible
security options appropriate to organization requirements [1]. These security consoles are enabled by use
of simple network management protocol (SNMP), which provides administrators capability to monitor and,
when necessary, configure hosts on a network. This centralized ability to configure network devices is
referred to as device management, and is a critical capability in allowing IT administrators to manage—
monitor and configure—distributed enterprise networks.

Figure 2. Example Integrated security control console

Administrative Domains (ADOMs) provide the capability to better organize the network environment. A
domain is the equivalent of an organizational unit. The purpose of using ADOMs is:
 Limiting administrative scope to specific devices
 Segmenting tenants in a managed service provider environment

NSE 1: Management and Analytics Study Guide 6

  Management and Analytics Policy and Security

Policy and Security

Policy packages enable the addressing of specific needs for an organization’s different sites by creating a
tailored policy package for each site. Policy packages provide flexibility to administrators, because they
may be applied to individual or multiple devices. The advantage to using a policy package is that it
simplifies the installation of a set of firewall rules for sites.[1]
Object libraries contains objects that can be can be used among multiple policy packages. This simplifies
the job of the administrator, as the object only needs to be created once, but can be used multiple times
for multiple devices.

Figure 3. Policy Package example.

Global policy packages become increasingly important as network complexity, size, or distributed
configuration grow. Because large and distributed enterprise networks may delegate remote security
management to local administrators, it is important for central network administrators to have the ability to
retain overall visibility and control of the entire network. To this end, global policies allow administrators of
large enterprises and MSPs to “bookend” segmented/tenant firewall rules in order to ensure compliance
with overall network policies and operating regulations[1].

Figure 4. Global Policy “Bookend” flow.

NSE 1: Management and Analytics Study Guide 7

  Management and Analytics Policy and Security

Firewall rules (also called firewall policies) are a major challenge for network security administrators,
making it important for companies and organizations—especially those with distributed enterprise
operations—to have and implement a firewall policy management solution. Depending on the size of the
operation and network, this function may be accomplished by the network security administrator or, in a
large enough enterprise, a firewall administrator. With the fast-paced and rapidly evolving dynamics of
technology and its use, the threat of security gaps being created because of a disjointed firewall policy
program is as real as the threat from external sources.
To assist the network security administrator or firewall administrator in developing, implementing, and
monitoring firewall policy requirements and effectiveness, regular and systematic reviews of firewall
policies should be put in place. These reviews provide important benefits, mitigating challenges such as:
 Mistakenly adding duplicate, similar, or overriding firewall policies
 Missing the impact of corporate policy changes that may impact particular rules
 Creation of policies that are too specific at the time of implementation and may need to be
broadened to be effective
 Determining what/when policies should be implemented by a policy push—that is, applying the
new policies to individual security devices
In order to facilitate inputs to the firewall policy development and review process, a firewall policy
workflow process should be established by which policy change recommendations are submitted,
approved, and implemented by IT staff, and then the document retained for archival purposes for later
analytic review. As these processes become institutionalized, the end result becomes not only more
effective firewall rules management, but efficiency that leads to rules reduction, or a decrease in firewall
rules via periodic reviews or automation.
Security Change Management is the industry term for the product or feature that seeks to reduce or
optimize the number of firewall rules. It provides IT staff and network auditors with a clear picture of how
changes were implemented. With more complex firewalls incorporating more features—such as the Next
Generation Firewall (NGFW)—simplification of the user interfaces that represent complex security
processes increases the likelihood that comprehensive security measures will be engaged, monitored,
and updated as necessary to keep up with emerging threats. This process will also minimize the number
of times that temporary firewall rule changes – used to test new options, software, or hardware – are
forgotten and left to clutter up the configuration.
Auditing has important advantages in the security management environment. Because auditing is a
mechanism that records actions that occur on a system, the associated audit log(s) contain information
detailing the events (such as login, logout, file access, upload, download, etc.), who performed the action,
when it was attempted, and whether the action was successful. Some important events that should be
logged include:

 Login/Logoff (including failed  Network connections (including failed

attempts) attempts)
 Supervisor/administrator login  Sensitive file access (including failed
and function attempts)

In the context of security management, auditing provides the following advantages:

 Ensures that the organization maintains compliance with programs such as HIPAA and PCI
DSS
 Helps track workflows/approvals for firewall policy changes
 Associates security event logs with an individual owner for forensics

NSE 1: Management and Analytics Study Guide 8

  Management and Analytics Analytics

Analytics
Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the
context of security management, this analysis includes factors concerning potential impacts on
performance due to attempted or successful attacks, actions taken by preventative policies and apparatus
that detected and prevented intrusion, forensic records of user data for system and network functions,
and so forth.
Of course, without applying analytics to future decisions, they cease to serve a vital function to
administrators. The most important function of analytics is to ensure security effectiveness and
improvement while enabling optimum system and network performance.
Reporting is designed to be a cyclical process—not linear; that is, the data analyzed is used to inform
decisions regarding whether policies, programming, or apparatus need to be updated or may remain as
currently constituted. If updates are necessary, analytics inform decision-makers—such as corporate
compliance groups—in determining what updates or reconfigurations are the right ones to accomplish.

Security Information and Event Management

Security Information and Event Management (SIEM)[1] is a system that gathers security logs from multiple
sources and correlates logged events to be able to focus on events of importance. The SIEM ecosystem
is designed to address the unique requirements of a wide range of customers, from large enterprises to
managed security service providers (MSSPs) that manage thousands of individual customer
environments.
Key features include real-time visibility for threat detection and prioritization, and delivering visibility
across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an actionable
list of suspected incidents, enabling more effective threat management while producing detailed data
access and user activity reports.
SIEM operates on the basis of those logs the administrator has authorized to be forwarded from the
devices to the SIEM. These logs may be tuned further to provide a minimum security level for log
forwarding, including (in order of severity from least to most):

1) Debugging 5) Error

2) Information 6) Critical

3) Notification 7) Alert

4) Warning 8) Emergency

SIEM provides three primary functions for network security:

Event logging. How systems and applications record and save data that shows what events happened
at what time and place with what results on the system, in the network, or in an application.
Event correlation. Comparing of events indicated in the event and correlating like events together to
determine significant instances of repetitious or associated events.
Incident alerting. Provides alerts for security incidents on the network.[1]
Perhaps the most critical function upon which the SIEM concept depends is logging, because it forms
the basis for making decisions regarding system and network functions and potential anomalies.
Logging is how systems and applications record and save data that shows what events happened at
what time and place with what results on the system, in the network, or in an application. Logging is
one of the forensic tools that may be used to analyze successful attacks, malware infections, or

NSE 1: Management and Analytics Study Guide 9

  Management and Analytics Analytics

attempted network intrusions. This capability, although it becomes more complex as networks grow and
become geographically distributed, is important to networks of all sizes against modern and future
network threats.
In the 1980s, Syslog was developed as part of the Sendmail project, but proved so valuable a tool that it
began being used by other applications as well. In today’s IT world, Syslog is still the de facto industry
standard for security event logging. In fact, Syslog has become entrenched as the standard, such that
operating systems such as Windows and UNIX, as well as regulations such as SOX, PCI DSS, and
HIPAA either use Syslog format or have embedded capability for conversion to Syslog.[2]
Because it is a necessity for networks of every size, the factor of resource balancing is an important
consideration. As with determining whether application services as IaaS, PaaS, or SaaS are best suited,
the most cost-effective logging/reporting method for SMB is typically cloud-based event logging. Similarly,
some organizations may opt for standalone logging/reporting solutions to more effectively manage logs
collected from multiple security devices.

Network Visibility
Network Visibility refers to the ability for administrators to know what type of traffic is crossing their
network, including Web, applications, email, etc. It allows optimization of bandwidth for business critical
applications. Because modern and emerging threats are able to take advantage of different traffic types in
different ways, network visibility is a key capability in the administrator’s arsenal, providing the opportunity
to achieve:
 Network monitoring and faster troubleshooting
 Application monitoring and profiling
 Capacity planning and network trends
 Detection of unauthorized WAN traffic

Figure 5. Network visibility benefits.

Network visibility is of the utmost importance to security administrators. This includes visibility of every
component of the network, including remote components geographically separated as part of a large
distributed enterprise network. In order to adequately monitor system and network security events, the
security administrator must have access to logging from across the entire infrastructure, including

NSE 1: Management and Analytics Study Guide 10

  Management and Analytics Summary

firewalls, email gateways, endpoint devices, and other network components, both physical and virtual.
As with analytics reporting, network visibility must be treated as a cyclical process in order to be effective.
As illustrated in Figure 5, network visibility provides a wealth of information about many facets of network
operations. All of this data, however, is lost if not used to inform analyses that may improve further
network operations and security. For this reason, network visibility data should be used to inform
reporting on network operations and be used in developing future plans and policy.

Summary
Security management provides vulnerability assessment, automated remediation, and configuration
assessment in and environment providing complex protection with simplified administration. The goal of
security management is to reduce security risks through proper configuration and compliance.
Across all sizes and types of networks, security management provides customization and automation to
assist network security administrators through administrative domains to segment users, firewall & global
policy packages enabling reduction and optimization of rules, and auditing that provides oversight of
compliance, workflow, approvals, and forensic tracing.
Security Information and Event Management (SIEM) provides a wide range of administrator services in
managing logged events and analysis to correlate and determine the most appropriate security
measures, policy updates, and reactions to network incidents.
Network visibility provides administrators with the necessary end-to-end monitoring, troubleshooting,
profiling, and analysis tools to plan and address modern and emerging threats to the network. Adept
management, using the right analytics to inform decisions and actions, are key to establishing and
maintaining an efficient and secure network environment.

NSE 1: Management and Analytics Study Guide 11

  Key Acronyms

Key Acronyms
ADOM Administrative Domain SaaS Software as a Service
API Application Programming Interface SDN Software-Defined Network
APT Advanced Persistent Threat SEG Secure Email Gateway
ATP Advanced Threat Protection SIEM Security Information and Event
AV/AM Antivirus/Antimalware Management
FTP File Transfer Protocol SLA Service Level Agreement
FW Firewall SM Security Management
GUI Graphical User Interface SMB Small & Medium Business
HTML Hypertext Markup Language SNMP Simple Network Management Protocol
HTTP Hypertext Transfer Protocol SSL Secure Socket Layer
HTTPS Hypertext Transfer Protocol Secure SYN Synchronization packet in TCP
IaaS Infrastructure as a Service Syslog Standard acronym for Computer
IDS Intrusion Detection System Message Logging
IP Internet Protocol TCP Transmission Control Protocol
IPS Intrusion Prevention System TCP/IP Transmission Control Protocol/Internet
IT Information Technology Protocol (Basic Internet Protocol)
J2EE Java Platform Enterprise Edition TLS Transport Layer Security
LAN Local Area Network TLS/SSL Transport Layer Security/Secure
Socket
MSP Managed Service Provider
Layer Authentication
MSSP Managed Security Service Provider
UDP User Datagram Protocol
NGFW Next Generation Firewall
UTM Unified Threat Management
NSS NSS Labs
VDOM Virtual Domain
PaaS Platform as a Service
VM Virtual Machine
PC Personal Computer
WAN Wide Area Network
PCI DSS Payment Card Industry Data Security
XSS Cross-site Scripting
Standard
PHP PHP Hypertext Protocol

NSE 1: Management and Analytics Study Guide 12

  References

References
1. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.

2. Gerhards, R., The Syslog Protocol.

NSE 1: Management and Analytics Study Guide 13