mshaikh22
asked on
Monitor IP Addresses accessing in and being accessed out from the UK, US and NY Data Center
At NY Data Center, and UK and US Offices the IP addresses accessing in and being accessed out.
Objective is to identify suspicious / unauthorized access or data transfer .
Objective is to identify suspicious / unauthorized access or data transfer .
masnrock
What sort of infrastructure is at/near the edge now? If you have a web proxy for example, it should be keeping some level of logging. If you have a SIEM, you can also capture quite a bit as well.
ASKER
Thank you, Masnrock. We dont have any web proxies in place, we do need a SIEM to filter the logs and alert us of any authorized. We are running unmanaged switches in the NY and London Office, I am not sure how is that going to help us with monitoring.
Are they SIEM solutions, you could recommend.
We are running Watchguard FW in the London office, Fortigate in the US Office and ASA in the data center.
Are they SIEM solutions, you could recommend.
We are running Watchguard FW in the London office, Fortigate in the US Office and ASA in the data center.
I'd look at implementing the proxies first. That way you can at least see traffic going between users and the internet. If you want a log of ALL traffic (including servers) between your network and the internet, then you're going to see something like a syslog server and a lot of storage.
As far as SIEM solutions, LogRhythm would be a good one to look at. If you want something cloud based, you could look at Sumo.
As far as SIEM solutions, LogRhythm would be a good one to look at. If you want something cloud based, you could look at Sumo.
ASKER
THank you, masnrock. We have external developers connecting using microsoft pptp vpn. Is there any way we can control traffic to that.
How is your VPN configured exactly? Split tunneling or is all of their internet traffic while connected to the VPN going through your network?
ASKER
Most Users are using split tunneling.
If you want to get the maximum possible picture, you're going to ideally need to not utilize split tunneling. But bear in mind the side effects of doing that...
ASKER
OK i found out its easy to enable web filter on the fortigate 60c but what to do on the watchguard and cisco asa to achieve this.
On the Watchguard, I'd strongly recommend deploying an instance of Watchguard Dimension, and telling your box to send all it's log traffic to there.
Once that's done, you'll be able to get a full visualisation of traffic including where it's coming from, and going to, and more importantly, the services that are being utilised against this traffic.
This is one of the best visualisation tools that I've come across in recent years, and has been an absolute must for finding where particular traffic is headed.
Once that's done, you'll be able to get a full visualisation of traffic including where it's coming from, and going to, and more importantly, the services that are being utilised against this traffic.
This is one of the best visualisation tools that I've come across in recent years, and has been an absolute must for finding where particular traffic is headed.
ASKER
Thank you guvna. We have are running cisco asa 5512 at the data center. What can we do there.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.