Review: elQNetworks' Enterprise Security Analyzer

Albeit imperative, compliance has become a complicated subject and is stretching budgets and IT staffs to the breaking point. This issue is addressed with elQNetworks' Enterprise Security Analyzer (ESA), which combines compliance reporting with auditing and security tools.

ESA was designed to provide advanced Security Information and Event Management (SIEM) across all network devices and hosts that have an impact on an organization's security framework, including multivendor routers, switches, firewalls, VPNs, intrusion detection and prevention systems, antivirus, proxy, content filtering, spam and Web security systems. ESA also scales from a single firewall device to a distributed enterprise infrastructure.

The ESA platform's main responsibility is to collect data from the various components on the network and roll up that data into a managed database and reporting engine. But for the technology to work properly, ESA must normalize and aggregate the data so that meaningful forensics can be performed.

ESA is built from the combination of two major components: the ESA host application and a Syslog server. Those two components can reside on the same system or in a distributed fashion. The latter allows regional sites to report to a centralized management system and could be the basis for a VAR to roll out ESA as a managed service to their customers.

ESA's browser-based management portal is straightforward. The portal/management console is broken down into several sections, all of which offer a combined dashboard view. Administrators will find an event viewer, alerts, device manager, reporting portal, management portal, topology view and forensics tasks. All of the views offer direct drill down to the event level and realtime views into events and alerts.The real power of the product lies in its reporting and forensics capabilities. Its automated collection of data permits the generation of meaningful reports. For regulatory compliance concerns, the product's ability to build compliance reports is second to none.

The product can gather information from a number of sources, including Syslog, Log Export API (LEA), Remote Data Exchange Protocol (RDEP) and ISA/ISS logs. Administrators also have the ability to tweak the data acquisition settings to accommodate custom logs. The primary event information that is gathered is centered around all port and protocol activity, which basically translates to all network traffic. Each device capable of reporting to ESA requires a license from the company. Those licenses can be assigned to the devices serial number or IP address. The product offers the ability to work with NAT'd IP addresses, allowing logs to be sent through firewalls or security appliances to the management console. That will prove to be a key capability for those pursuing a managed service model or managing a geographically dispersed enterprise network.

All data collection is driven by a user-defined policy. Administrators have complete control over when logs are accessed and rolled into the database. That collection can occur on a minute-to-minute basis or become a daily or even hourly event, all based upon the policy assigned. The ability to tune the collection traffic allows administrators to adjust collection policies to avoid overtaxing the network infrastructure or available bandwidth.

The product is rich with compliance-reporting capabilities; administrators will find bundled reports for HIPAA, Sarbanes-Oxley and other regulations. All reports can be modified, filtered and exported, which creates flexibility for providing ROI, events and forensics needs. When viewed on screen, the reporting module offers a suite of graphical representations.

Administrators will appreciate the network topology view, which creates a graphical "web" of the network devices. From that view, users can drill down to a particular device and quickly view any alerts or log entries.

The product's realtime alerting capability is driven by templates, which can be created from scratch or modified to send critical alerts in a number of fashions. E-mail, pager and so on are all supported notification methods, but even more impressive is ESA's ability to schedule those notifications based on who is responsible at that time.Administrators will find the combination of features offered and the ease of information access a time and money saver in today's complex networks.

ESA's channel program is broken down into three levels: Premier, Star and Distributor. Premier is the entry-level program and requires no initial investment, yet partners are expected to derive up to $5,000 per quarter in sales. The Star level has a quarterly $5,000 minimum sales requirement.

Distributors are the top tier and are expected to commit to $100,000 in annual sales.

Margins are determined by partner level and other commitments. Premier partners earn 30 percent discounts on products and on e-Care support and maintenance contracts. Partners interested in joining the program will find ample opportunity to profit and build ongoing revenue streams.

Star partners garner 45 percent product discounts, 40 percent discounts for sales of e-Care support and maintenance contracts, and 2.5 percent co-op funds, along with lead sharing, sales support and availability of market development funds (MDF).Distributors can earn up to 50 percent for product discounts, 45 percent discounts for sales of e-Care support and maintenance contracts, 5 percent co-op funds, and have access to lead sharing, sales support, along with availability of MDF.