Study Guide for NSE 1: Management and Analytics 2016

Study Guide
February 1
for NSE 1:
Management
and 2016
Analytics
This Study Guide is designed to provide information for the Fortinet Fortinet
Network Security Expert Program – Level 1 curriculum. The study guide
presents discussions on concepts and equipment necessary as a
Network
foundational understanding for modern network security prior to Security
taking more advanced and focused NSE program levels.
Solutions

i
 Study Guide for NSE 1: Management and Analytics 2016

Contents
Figures ..................................................................................................................................................... iii
Management and Analytics .......................................................................................................................... 1
Security Management ............................................................................................................................. 1
Managing the Security Console ............................................................................................................ 3
Policy and Security .................................................................................................................................. 4
Analytics ................................................................................................................................................... 7
Security Information and Event Management ..................................................................................... 7
Network Visibility .................................................................................................................................. 8
Summary ................................................................................................................................................ 10
Key Acronyms.............................................................................................................................................. 11
References .................................................................................................................................................. 13

ii
 Study Guide for NSE 1: Management and Analytics 2016

Figures
Figure 1. Security Management (SM) conceptual diagram .......................................................................... 2
Figure 2. Integrated security control console ............................................................................................... 4
Figure 3. Policy Package example. ................................................................................................................ 5
Figure 4. Global Policy “Bookend” flow. ....................................................................................................... 5
Figure 5. Network visibility benefits. ............................................................................................................ 9

iii
 Study Guide for NSE 1: Management and Analytics 2016

Management and Analytics

Additional NSE1 modules provide insight into how hardware and software development work to protect
systems and networks from modern and emerging threats. This continued technology evolution allows
users to conduct business, participate in commerce, maintain communications across the globe, and
manage personal affairs with minimal interruption or threat of critical information vulnerability and loss.
This module provides discussion on how effective management through the use of analytic tools allows
system and network administrators to optimize the secure environment users have come to expect—
and upon which businesses and global commerce rely.

Security Management
Simply stated, security management exists at the region where the
scope of IT security and IT operations meet.

As organizational structures grow in size and complexity, the

tendency is for more network resources—machines, servers,
routers, etc.—to be deployed. As the network grows, so also does
the scope of potential threats to secure and efficient operation of
the network to meet organizational goals. With the global nature of
modern business and e-commerce, the sheer number of branch and remote locations—and managed
devices—make a consolidated network security management essential for effective IT administration.
To this end, the primary goal of security management is to reduce security risks by ensuring that
systems are properly configured—or hardened—to meet internal, regulatory, and/or compliance
standards. Security management is a software-based solution that integrates three primary elements:

Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses
that a cyber-attacker could exploit.

Automated Remediation. Allows automated correction of faults or deficiencies—vulnerabilities—

identified in the assessment process. Provides reports and tools to track vulnerabilities that must be
remediated manually.

Configuration Management. Evaluates the security of a network’s critical servers, operating system,
application-level security issues, administrative and technical controls, and identifies potential and
actual weaknesses, with recommended countermeasures.

IT managers are faced with challenges that range from simple codes to threats hidden in secure packets
designed to target cloud-based applications. Modern and emerging future threats present dynamic and
potentially complex challenges to network security demanding comprehensive, complex security
solutions. Unfortunately, studies have shown that the more complex administrative functions become,
the less likely network administrators will spend the requisite amount of attention to the various
apparatus and displays. For this reason, consolidating security management into a single console
enabling monitoring and management of network security was developed. Through this integrated
monitoring and control solution, IT managers may address the following issues:

1
 Study Guide for NSE 1: Management and Analytics 2016
Device Configuration. Manages the configuration of each device on the network and maintains the
system-level configuration required to manage the network environment. This includes monitoring
device firmware to ensure it is kept up to date.

Firewall Policy. Provides viewing and modification of firewall configurations—access rules and
inspection rules—in the context of the interfaces whose traffic are filtered.

Content Security Policy. Computer security concept to prevent cross-site scripting (XSS) and related
application-level attacks. It provides a standard HTTP header allowing website administrators to
determine approved sources of content that browsers may load on designated pages. Covered types
include JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets, ActiveX,
audio, and video files.

A conceptual diagram of security management is illustrated in Figure 1 below:

SM SM SM
Analyst Console Database

SM – Monitored Devices

Figure 1. Security Management (SM) conceptual diagram

The primary goal is to provide high availability for the network, implying redundancy and fault tolerance
managed by the network security solution. In small and medium business (SMB) networks and many
large and distributed enterprise networks, network security may be provided by a managed security
service provider (MSSP) for a number of reasons—as discussed in Module 1. To facilitate effective
network security management, MSSPs and network administrators must have access to essential
features that enable them to provide protection to the network as a whole and the data contained
therein. Three principles drive these essential features: segmentation, scalability, and high performance.

Segmentation. Multi-tenancy architecture is one in which the single instance of a software application
serves multiple customers, with each customer being referred to as a tenant. The key purpose of multi-
tenancy is segmenting customers in a managed service provider environment. Tenants have limited

2
 Study Guide for NSE 1: Management and Analytics 2016
capabilities within the application, such as choosing interface colors or business rules, but have no
access to application code. Administrative domains (ADOMs) are virtual domains used to isolate devices
and user accounts. This enables regular user accounts visibility only into devices and data that are
specific to their ADOM, such as a geographic location or business division.

Scalability. Virtual firewall positioning & deployment. Very few organizations use 100% physical or 100%
virtual IT infrastructure, necessitating deployment of interoperable hardware and virtual appliances in
security strategies. For both of these firewall options, control through a centralized panel provides ease
of operation to security administrators while enabling the use of complex measures to counter modern
and emerging complex threats. Virtual domains (VDOMs) were introduced by Fortinet in 2004 and offer
virtualized security from SMB to large and distributed enterprise networks by rapid deployment within
existing virtual infrastructures. [1]

High Performance. Because security management spans the scope from home networks to SMB to large
and distributed enterprise networks, security management must be able to be customized to meet the
needs of each level of operation. For example, the Application Program Interface (API) specifies how
software components should interact and are used when programming the graphical user interface
(GUI), allowing visibility of the customized network functions. Automation is important especially for
large and distributed enterprise networks, providing an automated workflow enabling users to approve,
deny, defer, or even execute remediation of configuration errors, potentially saving considerable time
and effort.

Managing the Security Console

Network security management includes both hardware and software appliances and virtual machine
(VM) capabilities. They may be deployed as physical network security appliances, virtual appliances, or
software packages. Flexible interfacing allows IT administrators to address the management system via a
command line interface, web-based graphical user interface, or programmatically using JSON/XML
requests (scripting, customization, etc.). This provides network security flexibility for a wide range of
network sizes, from home networks and SMB up to large and distributed enterprise networks that are
geographically separated.

The most important function commonly associated with a security management solution
is maintaining firewall policies across a distributed enterprise. In large and distributed
enterprise environments, security management and reporting/compliance functions are
usually separated, with local personnel managing local nodes and a central site having
visibility over configuration compliance, generally from the data center at the corporate
headquarters or designated IT management division.

Because of the wide range of network security device deployment options, network security consoles
are typically licensed based on the number of devices they will be managing. This provides tailored,
flexible security options appropriate to organization requirements [1]. These security consoles are
enabled by use of simple network management protocol (SNMP), which provides administrators
capability to monitor and, when necessary, configure hosts on a network. This centralized ability to

3
 Study Guide for NSE 1: Management and Analytics 2016
configure network devices is referred to as device management, and is a critical capability in allowing IT
administrators to manage—monitor and configure—distributed enterprise networks.

Figure 2. Integrated security control console

Administrative Domains (ADOMs) provide the capability to organize better the network environment. A
domain is the equivalent of an organizational unit. The purpose of using ADOMs is:

 Limiting administrative scope to specific devices

 Segmenting tenants in a managed service provider environment

Administrative domains are further segregated into Accounts, each which must have at least one User.
However, permissions and policies must be set at the domain administrator and network administrator
levels. [1]

Policy and Security

Policy packages enable the addressing of specific needs for an organization’s different sites by creating a
tailored policy package for each site. Policy packages provide flexibility to administrators, because they
may be applied to individual or multiple devices. The advantage to using a policy package is that it
simplifies the installation of a set of firewall rules for sites.[1]

Object libraries contain the names and entry points of the code located in the library, as well as
a list of objects on which the applications or systems using the code require in order to run the
object. An example would be needing an application capable of reading a .jpg file in order to use
the object with a .jpg extension. Object libraries may be configured to direct which applications
are used to open or run which types of files besides the manufacturers’ default settings. Object
libraries may be dragged into policy packages to define actions for traffic meeting criteria
matching the identified object characteristics.

4
 Study Guide for NSE 1: Management and Analytics 2016

Figure 3. Policy Package example.

Global policy packages become increasingly important as network complexity, size, or distributed
configuration grow. Because large and distributed enterprise networks may delegate remote security
management to local administrators, as previously introduced in the previous slide, it is important for
central network administrators to have the ability to retain overall visibility and control of the entire
network. To this end, global policies allow administrators of large enterprises and MSPs to “bookend”
segmented/tenant firewall rules in order to ensure compliance with overall network policies and
operating regulations[1].

Figure 4. Global Policy “Bookend” flow.

5
 Study Guide for NSE 1: Management and Analytics 2016
Firewall rules (also called firewall policies) are a major challenge for network security administrators,
making it important for companies and organizations—especially distributed enterprise operations—to
have and implement a firewall policy management solution. Depending on the size of the operation and
network, this function may be accomplished by the network security administrator or, if a large enough
enterprise, a firewall administrator. But with the fast-paced and rapidly-evolving dynamics of technology
and its use, the threat of security gaps being created because of a disjointed firewall policy program is as
real as the threat from external sources.

To assist the network security administrator or firewall administrator in developing, implementing, and
monitoring firewall policy requirements and effectiveness, regular, systematic reviews of firewall
policies should be put in place. These reviews provide important benefits, mitigating challenges such as:

 Mistakenly adding duplicate, similar, or overriding firewall policies

 Missing the impact of corporate policy changes that may impact particular rules
 Creation of policies that are too specific at the time of implementation and may need to be
broadened to be effective
 Determining what/when policies should be implemented by a policy push—applying the new
policies to individual security devices

In order to facilitate inputs to the firewall policy development and review process, a firewall policy
workflow process should be established by which policy change recommendations are submitted,
approved, and implemented by IT staff, and then the document retained for archival purposes for later
analytic review. As these processes become institutionalized, the end result becomes not only more
effective firewall rules management, but efficiency that leads to rules reduction, or a decrease in firewall
rules via periodic reviews or automation.

Rules reduction through automation—this is where the technology of adept security change
management is necessary to improve probability that the network will remain secure. Security Change
Management is the industry term for the product or feature that seeks to reduce or optimize the
number of firewall rules and provides IT staff and network auditors with a clear picture of how changes
were implemented. With more complex firewalls incorporating more features—such as the Next
Generation Firewall (NGFW)—simplification of user interfaces of complex processes increases the
likelihood that comprehensive security measures will be engaged, monitored, and updated as necessary
to keep up with emerging threats.

Auditing has important advantages in the security management environment. Because auditing is a
mechanism that records actions that occur on a system, the associated audit log(s) contain information
detailing the events (such as login, logout, file access, upload, download, etc.), who performed the
action and when it was accomplished, and whether the action was successful. Some important events
that should be logged include:

 Login/Logoff (incl failed)  Supervisor/administrator login & function

 Network connections (incl failed)  Sensitive file access

6
 Study Guide for NSE 1: Management and Analytics 2016
In the context of security management, auditing provides the following advantages:

 Ensures that the organization maintains compliance with programs such as HIPAA and PCI
 Helps track workflows/approvals for firewall policy changes
 Associates security event logs with an individual owner for forensics

Analytics
Without applying analytics to future decisions, they cease to serve a vital function to administrators. The
most important function of analytics is to ensure security effectiveness and improvement while enabling
optimum system and network performance.

Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the
context of security management, this analysis includes factors concerning potential impacts on
performance due to attempted or successful attacks, actions taken by preventative policies and
apparatus that detected and prevented intrusion, forensic records of user data for system and network
functions, and so forth.

Reporting is designed to be a cyclical process—not linear; that is, the data analyzed is used to inform
decisions regarding whether policies, programming, or apparatus need to be updated or may remain as
currently constituted. If updates are necessary, analytics inform decision-makers—such as corporate
compliance groups—in determining what updates or reconfigurations are the right ones to accomplish.

Security Information and Event Management

Security Information and Event Management (SIEM)[1] is a system that gathers security logs from
multiple sources and correlates logged events to be able to focus on events of importance. SIEM
ecosystem is designed to address the unique requirements of a wide range of customers, from large
enterprises to managed security service providers (MSSPs) that manage thousands of individual
customer environments.

Key features include near real-time visibility for threat detection and prioritization, delivering visibility
across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an
actionable list of suspected incidents, enabling more effective threat management while producing
detailed data access and user activity reports.

SIEM operates on the basis of what logs the administrator has authorized to be forwarded from the
Syslog to the SIEM. These logs may be tuned further to provide a minimum security level for log
forwarding, including (in order of severity from least):

 Debugging  Error
 Information  Critical
 Notification  Alert
 Warning  Emergency

7
 Study Guide for NSE 1: Management and Analytics 2016
SIEM provides three primary functions for network security:

Event logging. How systems and applications record and save data that shows what events
happened at what time and place with what results on the system, in the network, or in an
application.
Event correlation. Comparing of events indicated in the event and correlating like events together to
determine significant instances of repetitious or associated events.
Incident alerting. Provides alerts for security incidents on the network.[1]

Perhaps the most critical function upon which the SIEM concept depends is logging, because it forms the
basis for making decisions regarding system and network functions and potential anomalies. Logging is
how systems and applications record and save data that shows what events happened at what time and
place with what results on the system, in the network, or in an application. Logging is one of the forensic
tools that may be used to analyze successful attacks, malware infections, or attempted network
intrusions. This capability, although it becomes more complex as networks grow and become
geographically distributed, is important to networks of all sizes against modern and future network
threats.

In the 1980s, Syslog was developed as part of the Sendmail project, but proved so valuable a tool that it
began being used by other applications as well. In today’s IT world, Syslog is still the de facto industry
standard for security event logging. In fact, Syslog has become entrenched as the standard, such that
operating systems such as Windows and UNIX, as well as regulations such as SOX, PCI DSS, and HIPAA
either use Syslog format or have embedded capability for conversion to Syslog.[2]

Because is a necessity for networks of every size, the factor of resource balancing is an important
consideration. As with determining whether application services as IaaS, PaaS, or SaaS are best suited,
the most cost-effective logging/reporting method for SMB is cloud-based event logging. Similarly, some
organizations may opt for standalone logging/reporting solutions to more effectively manage logs
collected from multiple security devices.

Network Visibility
Network Visibility refers to the ability for administrators to know what type of traffic is crossing their
network, including Web, applications, email, etc. It allows optimization of bandwidth for business critical
applications. Because modern and emerging threats are able to take advantage of different traffic types
in different ways, network visibility is a key capability in the administrator’s arsenal, providing the
opportunity to achieve:

 Network monitoring and faster troubleshooting

 Application monitoring and profiling
 Capacity planning and network trends
 Detection of unauthorized WAN traffic

8
 Study Guide for NSE 1: Management and Analytics 2016

Figure 5. Network visibility benefits.

Network visibility is of the utmost importance to security administrators. This includes visibility of every
component of the network, including remote components geographically separated as part of a large
distributed enterprise network. In order to adequately monitor system and network security events, the
security administrator must have access to logging from across the entire infrastructure, including
firewalls, email gateways, endpoint devices, and other network components, both physical and virtual.

Network visibility must be treated as a cyclical process in order to be effective. As illustrated in Figure
60, network visibility provides a wealth of information about many facets of network operations. All of
this data, however, is lost if not used to inform analyses that may improve further network operations
and security. For this reason, network visibility data should be used to inform reporting on network
operations and be used in developing future plans and policy.

9
 Study Guide for NSE 1: Management and Analytics 2016
Summary
Security management provides vulnerability assessment, automated remediation, and configuration
assessment in and environment providing complex protection with simplified administration. The goal
of security management is to reduce security risks through proper configuration and compliance.

Across all sizes and types of networks, security management provides customization and automation to
assist network security administrators through administrative domains to segment users, firewall &
global policy packages enabling reduction and optimization of rules, and auditing that provides oversight
of compliance, workflow, approvals, and forensic tracing.

Security Information and Event Management (SIEM) provides a wide range of administrator services in
managing logged events and analysis to correlate and determine the most appropriate security
measures, policy updates, and reactions to network incidents.

Network visibility provides administrators with the necessary end-to-end monitoring, troubleshooting,
profiling, and analysis tools to plan and address modern and emerging threats to the network. Adept
management, using the right analytics to inform decisions and actions, are key to establishing and
maintaining an efficient and secure network environment.

10
 Study Guide for NSE 1: Management and Analytics 2016

Key Acronyms
AAA Authentication, Authorization, and HTML Hypertext Markup Language
Accounting
HTTP Hypertext Transfer Protocol
AD Active Directory
HTTPS Hypertext Transfer Protocol Secure
ADC Application Delivery Controller
IaaS Infrastructure as a Service
ADN Application Delivery Network
ICMP Internet Control Message Protocol
ADOM Administrative Domain
ICSA International Computer Security
AM Antimalware Association
API Application Programming Interface ID Identification
APT Advanced Persistent Threat IDC International Data Corporation
ASIC Application-Specific Integrated Circuit IDS Intrusion Detection System
ASP Analog Signal Processing IM Instant Messaging
ATP Advanced Threat Protection IMAP Internet Message Access Protocol
AV Antivirus IMAPS Internet Message Access Protocol
Secure
AV/AM Antivirus/Antimalware
IoT Internet of Things
BYOD Bring Your Own Device
IP Internet Protocol
CPU Central Processing Unit
IPS Intrusion Prevention System
DDoS Distributed Denial of Service
IPSec Internet Protocol Security
DLP Data Leak Prevention
IPTV Internet Protocol Television
DNS Domain Name System
IT Information Technology
DoS Denial of Service
J2EE Java Platform Enterprise Edition
DPI Deep Packet Inspection
LAN Local Area Network
DSL Digital Subscriber Line
LDAP Lightweight Directory Access Protocol
FTP File Transfer Protocol
LLB Link Load Balancing
FW Firewall
LOIC Low Orbit Ion Cannon
Gb Gigabyte
MSP Managed Service Provider
GbE Gigabit Ethernet
MSSP Managed Security Service Provider
Gbps Gigabits per second
NGFW Next Generation Firewall
GSLB Global Server Load Balancing
NSS NSS Labs
GUI Graphical User Interface
OSI Open Systems Infrastructure

11
 Study Guide for NSE 1: Management and Analytics 2016
OTS Off the Shelf SPoF Single Point of Failure
PaaS Platform as a Service SQL Structured Query Language
PC Personal Computer SSL Secure Socket Layer
PCI DSS Payment Card Industry Data Security SWG Secure Web Gateway
Standard
SYN Synchronization packet in TCP
PHP PHP Hypertext Protocol
Syslog Standard acronym for Computer
POE Power over Ethernet Message Logging
POP3 Post Office Protocol (v3) TCP Transmission Control Protocol
POP3S Post Office Protocol (v3) Secure TCP/IP Transmission Control Protocol/Internet
Protocol (Basic Internet Protocol)
QoS Quality of Service
TLS Transport Layer Security
Radius Protocol server for UNIX systems
TLS/SSL Transport Layer Security/Secure Socket
RDP Remote Desktop Protocol Layer Authentication
SaaS Software as a Service UDP User Datagram Protocol
SDN Software-Defined Network URL Uniform Resource Locator
SEG Secure Email Gateway USB Universal Serial Bus
SFP Small Form-Factor Pluggable UTM Unified Threat Management
SFTP Secure File Transfer Protocol VDOM Virtual Domain
SIEM Security Information and Event VM Virtual Machine
Management
VoIP Voice over Internet Protocol
SLA Service Level Agreement
VPN Virtual Private Network
SM Security Management
WAF Web Application Firewall
SMB Small & Medium Business
WANOpt Wide Area Network Optimization
SMS Simple Messaging System
WLAN Wireless Local Area Network
SMTP Simple Mail Transfer Protocol
WAN Wide Area Network
SMTPS Simple Mail Transfer Protocol Secure
XSS Cross-site Scripting
SNMP Simple Network Management Protocol

12
 Study Guide for NSE 1: Management and Analytics 2016

References
1. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
2. Gerhards, R., The Syslog Protocol.

13