NetskateKoban Manager of NetSkateKoban Enterprise and KobanCloud supports flexible policy-based monitoring functions, and by utilizing this function, it is possible to perform various types of monitoring.
NetSkateKoban Manager notifies and records warnings, blocks terminals, etc. according to the set policy. By using simple policy settings and advanced policy settings that define monitoring rules based on Koban alarm rules that are determined when a device is detected, various adaptation conditions such as date and time, day of the week, time of day, network, and installation location can be adjusted. When these conditions are met, various actions such as e-mail notifications and communication blocking can be executed.
Simple Policy
NetSkateKoban makes judgments about detected devices according to the basic rules below, and if the rules are violated, it issues a warning and at the same time can take actions such as e-mail notifications and communication blocking. These basic rules are categorized into a rule type called "Koban Alarm (Basic)", and the warning determined here is called a Koban Alarm. A policy is a combination of these basic rules, applicable conditions such as the detection source network, the time and day of the week when the unauthorized terminal was detected, and the actions to be taken when the conditions are met.
When Koban Manager detects a device, it will notify you of a warning and automatically take action according to the configured policy. By setting a policy, it is possible to make complex specifications such as combining multiple application conditions or ignoring without warning. However, in order to easily perform simple settings, the simple policy settings You can set up a policy by simply specifying basic rules and actions, such as "send an email when the situation arises."
When Koban Manager detects a device, it will notify you of a warning and automatically take action according to the configured policy. By setting a policy, it is possible to make complex specifications such as combining multiple application conditions or ignoring without warning. However, in order to easily perform simple settings, the simple policy settings You can set up a policy by simply specifying basic rules and actions, such as "send an email when the situation arises."
If you create a policy by specifying basic rules and actions using simple policy settings, the specified action will be executed whenever the warning is detected (or you can disable it).
Koban Alarm (basic)
| Warning Type (Basic Rules) | Explanation |
|---|---|
| Unregistered Sensor | If terminal detection information is received from a Koban sensor that is not registered with the manager, a Koban alarm of "unregistered sensor" will be notified. |
| Unregistered Terminal | If the detected terminal (MAC address) is not registered in Koban Manager as a user terminal, a Koban alarm of "unregistered terminal" will be notified. *When IPv6 address is detected, only unregistered terminals are detected. |
| Duplicate IP |
If a detected device and a connected device that has already been detected have different MAC addresses but are using the same IP address, a Koban alarm of "IP overlap" will be notified.
* The following extended rules will not be judged for devices with IPv6 addresses.
|
| IP Change | If a device with the same MAC address has already been detected on the same network as the detected device, but is using a different IP address, a Koban alarm of "IP change" will be notified. If a device with the same MAC address but a different IP address is detected on a different network, that device will be determined to have moved and will not be notified of the "IP change." In this case, the status of the detected terminal is changed to terminated and saved as a connection history, and then the terminal is treated as newly detected on the destination network. |
| Mismatch with Assigned IP | When the DHCP/ARP sensor observes DHCP packets and sends detection information to Koban Manager, the detection information includes the IP address assigned by the DHCP server. If this assigned IP address differs from the IP address actually used by the detected device, a Koban alarm of "Inconsistency with assigned IP" will be notified. * This will only be determined if the IP address actually being used is determined by observing the ARP packet after the assigned IP address is sent from the DHCP packet. |
| User Change | If a device with the same MAC address as the detected device is already detected, but the device is owned by a different user, a "user change" Koban alarm will be notified. |
Advanced Policy
In addition to Koban alarm (basic) rules that are determined by Koban Manager, such as detecting unregistered terminals, Koban alarm (extended) rules that make detailed settings to determine detected terminals, IDS warnings, Syslog messages, etc. You can specify conditions such as time, network, and location for events, and when those conditions are met, you can take actions such as e-mail notification or blocking communication. This makes it possible to perform complex settings such as sending email notifications when an event occurs, but blocking important networks when an event occurs on Saturdays and Sundays.
You can select the following types of Koban alarm (extension) rules:
| Warning Type (Extended Rule) | Explanation |
|---|---|
| Koban Alarm (Basic) | This is a rule that is always judged when a device is detected. |
| Koban Alarm (Extended) |
Only during configuration, the following settings can be made as rules to be determined when a device is detected.
|
| SNMP Trap | Set the policy when receiving SNMP traps. Judgment can be made based on the notified SNMP trap OID or trap support (for SNMPV1). |
| Snort Alert | Set the policy when receiving alerts from Snort. |
| Syslog Reception | Set the policy when receiving Syslog notifications. |
| Event Monitoring Alarm (HTTP) (*1) | This is a rule that determines whether the web content specified by the URL can be retrieved using HTTP GET at regular intervals to determine whether it is reachable or unreachable, and issues a warning if it is unreachable. |
| Event Monitoring Alarm (SNMP) (*1) | This rule determines whether the managed object is reachable or unreachable at regular intervals based on whether information about the managed object can be obtained using SNMP, and issues a warning if it becomes unreachable. |
| Event Monitoring Alarm (Ping) (*1) | This is a rule that uses ping to determine whether a destination is reachable or unreachable at regular intervals, and issues a warning if it becomes unreachable. |
| Event Monitoring Alarm (TCP port) (*1) | This is a rule that sends request data to the TCP port of the specified host address, determines whether the response is reachable or unreachable at regular intervals, and issues a warning if it becomes unreachable. |
| Event Monitoring Alarm (Threshold) (* 1) | This is a rule that periodically retrieves the value of an SNMP managed object and issues a warning when a value that violates a specified threshold is detected. |
*1) Optional NMS module is required.
Specify the application conditions for executing actions such as time for the set rules.
The applicable conditions that can be set differ depending on the rule, but you can specify the following.
- IP address, IP address range
- MAC address, network
- Time, day of the week, period
- Detection source IP address, detection source IP address range, detection source network
- Monitoring domain
If the rule and the applicable conditions set in the rule are met, the action set in the action settings will be executed.
The actions that can be set vary depending on the rule, but the following actions can be specified.
- E-mail notification
- External command execution
- SNMP trap notification
- Interference with communications
- Port auto-blocking
- Ignore