Rollout: RedSeal's SRM

While some products can show you vulnerabilities on individual machines, RedSeal's Security Risk Manager (SRM) 3000 not only shows threats to your systems, it also tells you how those threats can traverse your network and how much havoc they're likely to wreak.

The RedSeal SRM 3000 is a 1U server that maintains a database of your entire network, as well as vulnerability information. The latter includes the catalog of vulnerabilities, the current data from vulnerability scans, firewall configurations, and business-value information. Using the data RedSeal has collected, a Java application presents an easy-to-use visualization of the threats to your network. Competitors include nCircle's Topology Risk Analyzer and Skybox Security's Skybox View Suite.RedSeal has simplified setup and configuration by making it possible to pull in data from Cisco IOS and PIX configurations, as well as Nessus or QualysGuard vulnerability scans. Manual system setup is possible, but by pulling in external configuration files, RedSeal SRM can get a better picture of how the network is really set up and more accurately analyze it.

There are many different methods for tracking vulnerabilities. Although the Common Vulnerabilities and Exposures list tries to provide a consistent method for naming vulnerabilities and exploits, many vendors provide their own advisory IDs, and vulnerability scanners may even refer to the same vendor advisory with different names. All these IDs can be complex to follow in a single environment. RedSeal has solved this problem by providing its own Threat Reference Library, which refers to other vendor advisories in an attempt to bring some consistency to your network. Vulnerability scan data can be compared against this library to come up with a common language to use across your network.

Riskmap Reveals Vulnerabilities

Once the analysis has been run, SRM creates a RiskMap for your network. This customizable diagram of your network provides quick visual feedback to the importance and exposure of your systems. Infrastructure elements are displayed individually, while subnets are presented as cylinders. The size and color of these cylinders quickly shows their business value (based on their size) and threat exposure (how much of the cylinder is colored red). With this basic data in hand, you can ask SRM to show where threats are coming from or where threats can be directed from a given subnet. This visualization tool helps you see how quickly, and following which paths, an attacker can leapfrog through your network. By following the links from subnet to subnet, you can find the holes that are most important to plug first.RedSeal also stands out with its own type of predictive technology, Adaptive Risk Analysis, which helps create the picture of your network. When you provide RedSeal SRM with network configuration and vulnerability data, you give RedSeal a picture of what services are available on your network. By using this data, RedSeal can infer what applications are running. It's a safe bet that if Port 80 is open, for example, a Web server is running, even if that's the only information you've given SRM. As more vulnerability data is collected over time ("Port 80 on 10.1.2.3 is running Apache," rather than simply, "Port 80 is open,"), SRM stops using its assumed data and look more closely at what is provided. Firewall rules help decide which subnets are in DMZs. The corporate network may be a subnet that doesn't obviously allow data to it, but SRM finds the holes that may lead to that net. Additionally, you can change the value of certain systems or services to properly reflect what you feel is most important to your business.

Monitoring your network involves keeping up to date on all devices that reside there. SRM lets you periodically poll your network devices for their configuration data, and in turn, keep the RiskMap up to date. The product also lets you pull in vulnerability scan data automatically, so you can maintain the latest data on services being provided on all your systems.

The SRM interface lets you see more than just what vulnerabilities are present on your network. Because it reads firewall configuration data, it can alert you to problems in your setup. By comparing your firewall configurations and the devices' positions in the network, SRM can present you with possible attack paths created by an extra open port. This additional checking is one of several reports that the SRM can provide. Another is a list of the most vulnerable systems.

The RedSeal SRM provides a new way of looking at your network: through the eyes of an attacker. By examining the paths that an attacker can work through, you can see just how deep they can reach into your network. More important, you can plug the holes that they want to use.

The RedSeal Systems Security Risk Manager is available for $25,000 for a 25-device license (device refers to a firewall or router). nJeremy Baumgartner is a unix systems administrator with Acnielsen In Green Bay, Wis. Write to him at [email protected].