The Power of Extensible Audits
One of the most powerful features inside of FireMon is our ability to quickly add customized reports or audits to the application. This takes minutes and doesn’t even require “us” to do it. Our customers do it all the time. Don’t believe me? Take a look at Secure Passage’s Nexus community (https://nexus.firemon.com) where you can find a wealth of these unique reports being exchanged amongst our user community (and some of the sharpest minds in the security space).
The point of my entry here isn’t to showcase Nexus, but rather to tell a story about a recent customer experience. You may have caught the recent announcement by Cisco last week who was reporting “multiple vulnerabilities” in the firewall services module for its Catalyst 6500 switch and 7600 series router. Basically, the exploit allowed an attacker to reload a firewall module after processing crafted SunRPC or certain TCP packets. A repeated attack could result in a sustained Denial of Service condition. This vulnerability affected Cisco FWSM software version 3.x and 4.x only if SunRPC was enabled (which it is by default). To learn more: http://www.networkworld.com/community/node/64631
If that weren’t bad enough, this customer had several of these devices under management and wanted to know if FireMon could check for this vulnerability. The very short answer was yes! By simply going through the list of monitored devices inside of FireMon and applying a simple audit looking for the version of the software running on that device, and if a certain setting was turned on (SunRPC) we could report to the user which devices should be upgraded or mitigated against.
I guess the real beauty of the story here was that particular audit where a very specific version of software and setting was being checked against, didn’t exist. However, a similar one did. By making a five-second change to the criteria of the audit, the report immediately returned the results the user was looking for. And should this event or one similar happen again, that simple change makes this entire audit absolutely relevant again.