Illinois data center posts virtual guard

Illinois data center posts virtual guard

Illinois legislative network analysts detect cyberattacks by consolidating reports from network perimeter devices.

Early warning system analyzes patterns, puts out an alarm as cyberattacks occur

The Illinois Legislative Information System, a data fortress protected by electronic moats and drawbridges, had a chink in its armor until recently.

It lacked an alarm to sound in the event of a cyberattack'and there are hundreds each day, said Jim Patterson, an ILIS systems analyst.

ILIS supports the legislative data center's databases of bills, resolutions, journals, calendars, committee reports and other legislative documents. Its network has 600 users and links to 500 other networks.

ILIS had 'basically all the security products you could want,' Patterson said, 'seven or eight Cisco PIX firewalls, a Cisco access control server and a series of secure intrusion-detection systems.'

What it didn't have was a way to collate all the information quickly to find security breaches as they occurred. Managing and analyzing so much data manually was difficult if not impossible.

So Patterson's team installed security information management software from NetForensics Inc. of Edison, N.J. Written in Java, NetForensics collects the network perimeter activity data from firewalls and intrusion-detection devices.

On the alert

NetForensics looks at patterns, said Maria DiMarco, the company's vice president of marketing.

'If an e-mail server receives a message and at the same time turns around and sends a message, that's an indication that something abnormal might be going on,' DiMarco said. 'It might be a virus of some sort.' In a typical network attack, an intruder leaves traces that might not appear significant to a firewall, 'like someone jiggling the locks,' she said.

DiMarco likened it to December's close shave involving Richard Reid, the so-called shoe bomber aboard American Airlines Flight 63. 'There were all these indications ahead of time that he was up to no good,' DiMarco said, but they were separate, and no one put them together.

Patterson said NetForensics generates easy-to-read color graphs and reports showing, for example, the top 10 IP addresses that tried to access the network in the last half-hour or the last five days.

'Most of the intrusion attempts are people just knocking on the door to see if they can get in,' Patterson said. 'If somebody is doing something more sweeping, we need to know about that.'

Battering rams

NetForensics rates events by their severity, from one'least serious'to five'most serious. 'You can pull up a color chart of all the Level 5 severity attacks in the last hour or week,' he said.

NetForensics comes bundled with the Oracle 8.1.6 database management system. Patterson runs NetForensics on a Linux platform.

'We get 30G worth of e-mail messages on our hard drive in five days,' he said. NetForensics sifts through all of them, too. It alerted Patterson before last year's Nimda and Code Red worms struck, and the ILIS network stayed wormfree.

About the Author

Trudy Walsh is a senior writer for GCN.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above