Language

Policy Management: Policy Monitoring and Action

NetskateKoban Manager of NetSkateKoban Enterprise and KobanCloud supports flexible policy-based monitoring functions, and by utilizing this function, it is possible to perform various types of monitoring.
NetSkateKoban Manager notifies and records warnings, blocks terminals, etc. according to the set policy. By using simple policy settings and advanced policy settings that define monitoring rules based on Koban alarm rules that are determined when a device is detected, various adaptation conditions such as date and time, day of the week, time of day, network, and installation location can be adjusted. When these conditions are met, various actions such as e-mail notifications and communication blocking can be executed.

policy01-e.png

policy02-e.png

policy03-e.png

policy1-e.png

Simple Policy

NetSkateKoban makes judgments about detected devices according to the basic rules below, and if the rules are violated, it issues a warning and at the same time can take actions such as e-mail notifications and communication blocking. These basic rules are categorized into a rule type called "Koban Alarm (Basic)", and the warning determined here is called a Koban Alarm. A policy is a combination of these basic rules, applicable conditions such as the detection source network, the time and day of the week when the unauthorized terminal was detected, and the actions to be taken when the conditions are met.
When Koban Manager detects a device, it will notify you of a warning and automatically take action according to the configured policy. By setting a policy, it is possible to make complex specifications such as combining multiple application conditions or ignoring without warning. However, in order to easily perform simple settings, the simple policy settings You can set up a policy by simply specifying basic rules and actions, such as "send an email when the situation arises."
If you create a policy by specifying basic rules and actions using simple policy settings, the specified action will be executed whenever the warning is detected (or you can disable it).
 
 

Koban Alarm (basic)

Warning Type (Basic Rules) Explanation
Unregistered Sensor If terminal detection information is received from a Koban sensor that is not registered with the manager, a Koban alarm of "unregistered sensor" will be notified.
Unregistered Terminal If the detected terminal (MAC address) is not registered in Koban Manager as a user terminal, a Koban alarm of "unregistered terminal" will be notified.
*When IPv6 address is detected, only unregistered terminals are detected.
Duplicate IP
If a detected device and a connected device that has already been detected have different MAC addresses but are using the same IP address, a Koban alarm of "IP overlap" will be notified.
* The following extended rules will not be judged for devices with IPv6 addresses.
IP Change If a device with the same MAC address has already been detected on the same network as the detected device, but is using a different IP address, a Koban alarm of "IP change" will be notified.
If a device with the same MAC address but a different IP address is detected on a different network, that device will be determined to have moved and will not be notified of the "IP change." In this case, the status of the detected terminal is changed to terminated and saved as a connection history, and then the terminal is treated as newly detected on the destination network.
Mismatch with Assigned IP When the DHCP/ARP sensor observes DHCP packets and sends detection information to Koban Manager, the detection information includes the IP address assigned by the DHCP server. If this assigned IP address differs from the IP address actually used by the detected device, a Koban alarm of "Inconsistency with assigned IP" will be notified.
* This will only be determined if the IP address actually being used is determined by observing the ARP packet after the assigned IP address is sent from the DHCP packet.
User Change If a device with the same MAC address as the detected device is already detected, but the device is owned by a different user, a "user change" Koban alarm will be notified.

Advanced Policy

In addition to Koban alarm (basic) rules that are determined by Koban Manager, such as detecting unregistered terminals, Koban alarm (extended) rules that make detailed settings to determine detected terminals, IDS warnings, Syslog messages, etc. You can specify conditions such as time, network, and location for events, and when those conditions are met, you can take actions such as e-mail notification or blocking communication. This makes it possible to perform complex settings such as sending email notifications when an event occurs, but blocking important networks when an event occurs on Saturdays and Sundays.

You can select the following types of Koban alarm (extension) rules:
 
Warning Type (Extended Rule) Explanation
Koban Alarm (Basic) This is a rule that is always judged when a device is detected.
Koban Alarm (Extended)
Only during configuration, the following settings can be made as rules to be determined when a device is detected.
  • Unregistered IP address range
    If the IP address used by a device detected from a network with an unregistered IP address range does not match the pre-specified IP address range, a Koban alarm of "Use of unregistered IP" will be notified .
  • Static IP address violation
    If a static IP address is set for a device detected from the specified network, and the IP address used by that device is different from the static IP address registered in NetSkateKoban, a "static IP address violation" will occur. Koban alarm will be notified.
  • If the IP and MAC address
    used by a device that has been detected to use a specific address matches the pre-specified IP and MAC address, a Koban alarm for "Use of a specific address" will be notified.
  • Based on the source of the unauthorized connection
    , we determine whether the connection is authorized for that location or domain. When you select a domain, a Koban alarm of "Unauthorized connection" will be notified if the device detects that it is connected to a domain different from the configured domain. Additionally, when you select a location, you will receive a Koban alarm for "Unauthorized Connection" if your device detects that it is connected to a location other than the authorized location.
  • Unregistered DHCP Server
    Determines whether the DHCP server detected by the Koban sensor is a legitimate (registered) DHCP server. If the IP address of the detected DHCP server is not registered, a Koban alarm of "Unregistered DHCP Server" will be notified. *The following extended rules will not be judged for devices with IPv6 addresses.
  • Usage period of registered terminal
    If a "usage period" (usage start date and time and usage end date and time) is set for a registered user terminal, it is determined whether the detected registered terminal is within the usage period. A violation occurs when the date and time of detection is not included in the usage period. In the event of a violation, you will be notified of the Koban alarm "out of usage period".
SNMP Trap Set the policy when receiving SNMP traps. Judgment can be made based on the notified SNMP trap OID or trap support (for SNMPV1).
Snort Alert Set the policy when receiving alerts from Snort.
Syslog Reception Set the policy when receiving Syslog notifications.
Event Monitoring Alarm (HTTP) (*1) This is a rule that determines whether the web content specified by the URL can be retrieved using HTTP GET at regular intervals to determine whether it is reachable or unreachable, and issues a warning if it is unreachable.
Event Monitoring Alarm (SNMP) (*1) This rule determines whether the managed object is reachable or unreachable at regular intervals based on whether information about the managed object can be obtained using SNMP, and issues a warning if it becomes unreachable.
Event Monitoring Alarm (Ping) (*1) This is a rule that uses ping to determine whether a destination is reachable or unreachable at regular intervals, and issues a warning if it becomes unreachable.
Event Monitoring Alarm (TCP port) (*1) This is a rule that sends request data to the TCP port of the specified host address, determines whether the response is reachable or unreachable at regular intervals, and issues a warning if it becomes unreachable.
Event Monitoring Alarm (Threshold) (* 1) This is a rule that periodically retrieves the value of an SNMP managed object and issues a warning when a value that violates a specified threshold is detected.

*1) Optional NMS module is required.

policy2-e.png

Specify the application conditions for executing actions such as time for the set rules.
The applicable conditions that can be set differ depending on the rule, but you can specify the following.
 
  • IP address, IP address range
  • MAC address, network
  • Time, day of the week, period
  • Detection source IP address, detection source IP address range, detection source network
  • Monitoring domain

policy3-e.png

If the rule and the applicable conditions set in the rule are met, the action set in the action settings will be executed.
The actions that can be set vary depending on the rule, but the following actions can be specified.
  • E-mail notification
  • External command execution
  • SNMP trap notification
  • Interference with communications
  • Port auto-blocking
  • Ignore