NSK System Operation Security Monitoring Solution Watchlog Designed by SYSCOM

1
NSK System Operation Security Monitoring
SolutionWatchlogDesigned by SYSCOM

• PresenterRosa Tsai
• 2002/9/18 Ver1.02

2
Contents

• NSK System - Security Protection Control
• NSK System Safe Guard Watchlog
• How Watchlog Protects Your Security
• Total Control The System Safety
• Demo
• Q A

3
NSK System - Security Protection Control

• External Menace
• Attack By Hackers
• Attack Authorization Approval Process
• Attack the Protected/Managed Facilities
• Internal Threat
• Attack Authorization Approval Process
• Mistake By Human Operational
• Steal Someones Account
• Malicious Damage

4
NSK System - Security Protection
Control
Restrict/Log/Query to Operation Commands
NSK Kernel
Restrict/Log/View to Monitored Operation Objects
5
Watchlog vs. Safeguard

• Watchlog can well work with Safeguard.
• Watchlog is for recording and controlling of
  operational behaviors. Safeguard focuses on
  privilege setting of object security.
• Watchlog provides process contents of operational
  behaviors. Safeguard just shows the results of
  operation, success or failure.
• Report generationWatchlog provides a Syscom GUI
  (Enform report) query system its easy to get
  reports.With Safeguard, it is necessary to write
  code through SAFEART for the required reports.

6
NSK System Protection God Watchlog

• Log All Log every activities that the user
  has worked on the NSK system
• Protection Casing Detect the unpredictable
  trick beforehand and prevent illegal access to
  the system
• Strict Check Generate the report to check the
  operator whether doing the job right

7
Watchlog System Architecture
8
Watchlog System Architecture
9
Watchlog Program Flow
WATCHLOG
10
Configuration Setting - KEYWORD Control
Information
Keyword setting for starting ACL security
examination Categorized by TERM?PROGRAM?COMMAND

• TERM
• \SYSCOM.ZTN0.WAT101
• MTM2.A
• PROGRAM
• PUP
• \TAICH.SYSTEM.SYS02.FUP
• SCF
• COMMAND
• DUP
• PURGE
• COPY

Full name of terminal for IP connection (including
Node Name)
11
Configuration Setting - RULEFILE Control
Information (1)

• (1) FormatGroup_id,User_id
• (2) 4 time periods for each user distinguished
  by keyword TIME Formatstarting time-ending
  time
• (3) Others TerminalKeyword TERM
  can be ALL, NONE, or terminal name
  256 sets in maximum File nameKeyword
  PROGRAM can be ALL, NONE, or
  file name 64 sets in maximum
  CommandKeyword COMMAND can
  be ALL, NONE, or command 64 sets
  in maximum RestrictionKeyword ADD-RULE
  Can be DENY or GRANT

12
Configuration Setting - RULEFILE Control
Information (2)

• USER
• 255,255
• TIME
• 00-23
• TERM
• \SYSCOM.ZTN0.WAT101
• PROGRAM
• FUP
• PUP
• SCF
• COMMAND
• COPY
• ADD-RULE
• DENY

13
System Requirement

• Hardware-
• Host (Tandem) NSK K1, K2, and S-serialMinimum
  space for installation 10 MB (data needs to be
  downloaded to front-end) Hard disk requirement
  depends on actual log files
• PC end Intel Pentium II 500 or above128 MB RAM
  or higherMinimum hard disk space 100 MB
• Software-
• Host OS D38, D45, G06 or above
• PC OS Windows 98/NT 4.0/2000 Server or above
• Database DBMaker 3.7 or above

14
Watchlog Module List
15
Watchlog ModulesWhat you need

• Easily select modules required for your system

?If you system has Async, SNAX, X.25 terminal
connection
Basic Module
You only need to check operational records
You have requirement for authorization of system
security examination
For report query, we can offer Tandem batch
report program
?If your system has TCPIP connection
You only need to check operational records
You have requirement for authorization of system
security examination
For report query, we can offer DB Package GUI
functions
16
Watchlog Flexibility In Design

• Supported Protocols are X.25 ? SNAX?TCP/IP?Async
  TelNet, etc.
• Provide Interface with Watchcom to Manage/Control
  the System Easily.
• High Performance In S/W Design Hardly to have
  the time delay. The user does not even notice
  that it has been monitored by Watchlog.

17
Watchlog Advanced Functionalities (1)

• Provide the Non-Stop capabilities for all the
  CPUs
• Non-Stop operation on 7days 24 hours no
  shutdown required for changing the configuration
• Watchlog implemented with the fast Binary Hash
  design to reduce the complication of checking
  monitoring to make Mission Critical possible
• Fully compatible to TACL other sub-systems such
  as FUP?SCF,etc. including break-key used.

18
Watchlog Advanced Functionalities (2)

• Can be separated or combined to implement the
  monitoring by the USER, Time Frame, Terminal
  Location or Sub-Systems
• Improve the Tandem security control which is only
  in controlling the UserID Files
• Option to use SYSCOM GUI or Prognosis to query
  the monitoring results or the report
• From Prognosis, an on-line alert to System
  Administrator or Manager via BB-Call, E-Mail or
  Mobile Phone when the system has been intruded

19
How Can Watchlog Protect You?

• Catch information between the subsystems and its
  communication Interface externally
• Logged the blocked information for checking
  /investigation on-line/off-line
• Intelligent Program Design Provide the
  corresponding interface automatically based on
  the different monitored program attributes
• If necessary, it can block those illegal
  activities to/from the systems
• For TelNet users, Dispatch can check IP-Address
  with the correspondent account to identify the
  illegal use.

20
Async?SNAX And X.25Monitoring Connection Commands
WatchlogBasicModule
21
Configuration Setting - Add WATCHCOM Control
Information

• ADD Object, FILE Physical-termial-line
• START Object, INITIAL Program, NAME Proc_name,
  PRIORITY mmm, CPU nn
• Notemmm is 1199, nn is 015 (depending on the
  maximum number of system CPU)

• ADD C02, FILE MTM2.A
• START C02, INITIAL TACL, NAME A02, PRIORITY
  180, CPU 0
• ADD C03, FILE MTM3.A
• START C03, INITIAL TACL, NAME A03, PRIORITY
  180, CPU 1
• ADD T101, FILE SNAS.TM101
• START T101, INITIAL TACL, NAME T101, PRIORITY
  180, CPU 1

22
Static TCP/IP Monitoring Commands
23
Dispatch TCP/IP Monitoring Commands
24
TCP/IP Connection Goalie - Dispatch

• Allow the user to access the pre-defined
  sub-systems after the checking with IP address
  and its selection
• Double Checking In addition to the Guardian
  protection, IP address is also checked for the
  extra protection.

25
TCP/IP Connection Goalie - Dispatch

• Create TACL with a HighPin process to reduce the
  risk of insufficient LowPin (255) PCB.
• Allow the user to create the TACL process with
  the desired CPU Priority to leverage the system
  resource.

26
Configuration Setting - Add Dispatch Control
Information
How Watchlog process monitor setting by
connecting with Telnet Server Service
Assigned Telnet Server to provide service

• ASSUME PROCESS ZTN0
• ADD SERVICE WATD, TYPE CONVERSATION,SUBTYPE
  DYNAMIC, ACCESS ALL, CPU 1, PROGRAM
  SYSTEM.WATOBJ.DP,PARAM "SYSTEM.WATFIL.WATLOG"
• ALTER SERVICE WATD, AUTODELETE ON, DISPLAY OFF
• ADD SERVICE WATS, TYPE CONVERSATION,SUBTYPE
  STATIC, ACCESS ALL, CPU 1,PROGRAM
  SYSTEM.WATOBJ.DP ,PARAM "SYSTEM.WATFIL.WATLOG"
• ALTER SERVICE WATS, AUTODELETE ON, DISPLAY ON

Via control of Watchlog, provide Dynamic Window
service
Via control of Watchlog, provide Static
Window service
27
Configuration Setting - WATUSER Control
Information

• WATUSER Format
• IP_Address Concurrent User_Name
• 10.40.7.205 20 George_Pan
• 10.40.7.206 10 Wu-chih Chang
• 192.168.4.106 10 Christine_Lin
• 210.71.179.246 10 Thomas_Su
• 203.66.239.4 10 James_Liu

28
Monitoring On Data Process Flow
WatchlogBasicModule
29
Host SiteDown Loading the Data
NSK Host
SENDER
30
DB Repository - Receiving Data
RECEIVER
NT Server
31
System Totally Monitored

• Integrate Watchlog and Prognosis to enlarge the
  management power
• Through Watchlog/Prognosis API with its Extractor
  to Integrate the Data
• Get the necessary report within 30 Seconds
• Solve Problem before it is happened
• Early Alerts From Prognosis Will Prevent and
  Eliminate Unnecessary Problems On Security.

32
System Totally Monitored

• Combine the collected data from both Watchlog and
  Prognosis and find out which Operation By which
  User/Account from which IP-Address to cause the
  problem
• If the mistake by Human Being, it can be kept all
  those commands in Watchlog for the central
  control to avoid the mistake again.
• Accumulate all those incidents to the control DB,
  it will be the best monitoring for the system.

33
Query System Demo -SYSCOM GUI (Download
operation)
Show TCP Port in service
Show record number of received and written data
34
Query System Demo -SYSCOM GUI (registration)
Select database for query Online or History
35
Query System Demo -SYSCOM GUI (Query)
36
DEMO
37
Q A
Problem Discussions
38
Thank you for your time!

• Watchlog watch your system for you!

Rosa_Tsai_at_email.syscom.com.tw TEL 886 2
2775-8645 FAX 886 2 8773-9870