Monitoring Suspicious Activity Rules

The Need for Suspicious Activity Rules

The connection of enterprise and public networks is a great information security challenge, since connections that provide access to employees and customers can also act as an open doorway for those who want to attack the network and its applications.

Modern business needs require that information be easily accessed while at the same time it remains secure and private.

The fast changing network environment demands the ability to immediately react to a security problem without having to change the entire network's Firewall rule base (for example, you want to instantly block a specific user). All inbound and outbound network activity should be inspected and identified as suspicious when necessary (for instance, when network or system activity indicates that someone is attempting to break in).

Suspicious Activity Rules Solution

Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access privileges upon detection of any suspicious network activity (for example, several attempts to gain unauthorized access).

The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious Activity rules are Firewall rules that enable the system administrator to instantly block suspicious connections that are not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date), can be applied immediately without the need to perform an Install Policy operation (see the R76 Security Management Administration Guide for additional information).

Configure Suspicious Activity Rules

To block traffic when a threat is imposed, SmartView Monitor offers the tools needed to create and manage suspicious activity rules. These rules are based on your knowledge of the network and enable you to instantly block suspicious connections during real-time.

Create a Suspicious Activity Rule

A Suspicious Activity rule can be created from scratch or directly from or Custom view results.

Create a Suspicious Activity Rule

1. Select the Tools menu and Suspicious Activity Rules.
2. Click the Add button.

   The Block Suspicious Activity window is displayed.

3. Select Apply On for all gateways or for a specific gateway.
4. In the Source section select Any to define blockage of all source machines or indicate a specific IP Address or Network.

   If you would like to indicate a specific network source, define both the source machine's IP and its Network Mask.

5. In the Destination section select Any to define the blockage of all destination machines or define a specific IP address.

   If you would like to indicate a specific network destination, define both the destination machine's IP and its Network Mask.

6. In the Service section select Any for blocking all services or define a specific service that you wish to block.
7. In the Expiration section select a Relative time at which this rule should expire or define an Absolute Date and Time of expiration.
8. Click the Advanced button to decide how SmartView Monitor will react to behavior that applies to this rule.

   The Advanced window is displayed.

   1. Select either Drop, Reject or Notify in the Action drop-down list.
      • Notify indicates that a notification about the defined activity will be sent but the activity will not be blocked.
      • Drop indicates that packets will be dropped without sending the communicating peer a notification.
      • Reject indicates that packets will be rejected along with a notification to the communicating peer that the packet has been rejected.
   2. Select No Log, Log or Alert in the Track drop-down list.
   3. Check Close Connections to close all active connections matching this rule.
9. Click OK to return to the Block Suspicious Activity window.
10. Click Enforce to save and execute this rule.

Create a Suspicious Activity Rule Based on the Results

When running a Traffic view you can create a Suspicious Activity rule from the results that appear on the SmartView Monitor client.

You can only create a Suspicious Activity rule for Traffic views that contain information about the Source and/or Destination (for example, Top Sources, Top P2P Users, etc..).

1. In the SmartView Monitor client, click Traffic in the Tree View.
2. In the Traffic view tree, double click the view that you would like to run.

   A list of available gateways and clusters appears.

3. Select the gateway for which you would like to run the selected Traffic view.
4. Click OK.

   The results of the selected view appear in the SmartView Monitor client.

5. In the area of the screen in which the results appear, right click the Service, Network Object, Tunnel, etc., that you would like to block.
6. Select Block Source.

   The Block Suspicious Activity window is displayed containing all of the settings associated with the selected view results.

7. Modify any or none of the settings that appear.
8. Click Enforce to save and execute this rule.

Manage Suspicious Activity Rules

The Enforced Suspicious Activity Rules window provides a display of the currently enforced rules. If a rule that conflicts with another rule is added, the conflicting rule remains hidden. For example, if a rule was defined for dropping all http traffic and an additional rule is defined for rejecting http traffic, only the dropped rule, which is the dominant rule, will be displayed.

Once one or more Suspicious Activity rules are created SmartView Monitor enables you to:

• View the rules that are currently being enforced on a gateway or on all the gateways.
• Remove or add new rules.

View a Suspicious Activity Rule

1. In SmartView Monitor, click Traffic or System Counters in the Tree View.
2. Select the Tools menu and Suspicious Activity Rules.

   The Enforced Suspicious Activity Rules window is displayed.

3. Select Apply on All to view all the Suspicious Activity rules or Show On to view rules associated with a specific gateway or cluster.

Remove a Suspicious Activity Rule

1. In the SmartView Monitor client, click Traffic or System Counters in the Tree View.
2. Select the Tools menu and Suspicious Activity Rules.

   The Enforced Suspicious Activity Rules window is displayed.

3. Select Apply on All to view all the Suspicious Activity rules or Show On to view rules associated with a specific gateway or cluster.
4. Select the rule that you would like to remove from the Enforced Suspicious Activity Rules window.
5. Click Remove.
6. Click Yes to remove the rule.