Reconnex inSight / iGuard 7.0.0.
Reconnex Corporation Copyright ©2008 by Reconnex Corporation. All rights reserved. Reconnex™ is the trademark of Reconnex Corporation. All other trademarks are the property of their respective holders. Reconnex iGuard, inSight Console, and Discover are Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
iGuard/inSight User Guide Contents The Reconnex Solution .................................................................................................................................... 1 Reconnex Centralization............................................................................................................... 1 Features of Release 7.0.0.4........................................................................................................... 2 Reconnex Architecture ......................
Reconnex Corporation Managing Cases .......................................................................................................................... 49 Create a Case from the Incident List ..................................................................................................... 50 Create a Case .......................................................................................................................................... 51 Assign a Case.......................................
iGuard/inSight User Guide Use Logical Operators ............................................................................................................................ 87 What are Policies? ....................................................................................................................... 88 Standard Policies .................................................................................................................................... 88 Regulatory Policies ...................
Reconnex Corporation System Monitor.......................................................................................................................... 119 Alerts ...................................................................................................................................................... 119 Alert Types .......................................................................................................................................... 120 Filter Alerts ...................
iGuard/inSight User Guide View Objects ....................................................................................................................................... 156 System Logging .................................................................................................................................. 157 Managing Disk Space ......................................................................................................................... 159 Using Directory Services ............
iGuard/inSight User Guide The Reconnex Solution Reconnex iGuards are at the heart of the Reconnex solution. They intelligently capture, classify and process all information, regardless of protocol or object type, on a network. They are highspeed, non-intrusive, passive security appliances that collect, classify, analyze and store network data. Reconnex is the only vendor with a before, during and after approach to information protection.
Reconnex Corporation The inSight appliance takes over iGuard tasks like customizing policies and assigning privileges to users, allowing iGuards to focus on core tasks, such as capturing and analyzing network data. It also expands iGuard's reporting capabilities to create an enterprise-wide case management structure. Features of Release 7.0.0.4 This release contains an extensive list of new features and has a completely redesigned interface.
iGuard/inSight User Guide Reconnex Architecture Reconnex architecture supports essential 32- and 64-bit platforms which includes access to expanded memory. A single process can share more resources when capturing, analyzing and searching for data. iGuard systems are built on 64-bit hardware that can access up to a total of 16 GB of SDRAM, or 32-bit architecture, which is limited to 4 GB.
Reconnex Corporation Use Cases The standard policies shipped with iGuard contain rules that automatically capture many of the incidents generated by direct searches, but you can use one of our sample use cases to deal with some common scenarios quickly. Find encrypted traffic Insiders attempting to conceal illegal activity or steal your intellectual property routinely use encryption. This use case will help you identify the sources and destinations of encrypted traffic on your network.
iGuard/inSight User Guide Find traffic to and from foreign nationals Loss of intellectual property to emerging markets has cost U.S. companies billions of dollars. This use case helps you identify who your employees are communicating with outside of the country. Find postings to social networking sites Employees who are deeply engaged in their relationships on these sites may not realize how much productivity is lost, or how much sensitive information is leaked when they use Web 2.
Reconnex Corporation 3. Select the equals condition. 4. Click on the "?" to launch the values palette. 5. Select SMTP from the Mail list. Note: You can just type it in if you prefer. 6. Apply. 7. Select the Protocol element. 8. Select Port from the drop-down menu. 9. Select the not equal condition. 10. Type "25" into the Value field. Note: Because the entry is numeric it cannot be selected from a palette. If you select the "?", the online help for port searches will launch. 11. Click Search.
iGuard/inSight User Guide 12. Select Group by Detail from the dashboard header. This will give you a graphical picture of the results.In this case, you can see that port 1 was used instead of the expected port 25. Find Data Leaked in the Past If you suspect a document containing proprietary information has leaked at some time in the past, you can use a historical search to find out if, when and where the information left your network.
Reconnex Corporation 4. If you have an idea if when the leak may have occurred, select a time period. 5. Search. Your results will show you when and where the document was found. Note: When you search captured data directly, results are reported in an ad hoc search group, as if the query created its own policy. 8 Release 7.0.0.
iGuard/inSight User Guide Digest Search To find a specific document, you can generate a compact digital signature from the document and then search for it. This requires command line access to iGuard; contact Reconnex Technical Support if you need help getting to the back end of the machine to execute this process. 1. Login as root to any Unix-based machine. This procedure is just one way to generate a signature.
Reconnex Corporation 5. Click on the "?" to launch the Values palette. 6. Select Crypto from the Protocol list. Note: You can just type it in if you prefer. 6. Search. When results are launched, you will see a listing of all encrypted files found. 10 Release 7.0.0.
iGuard/inSight User Guide Find FTP Traffic Containing Source Code If you have an employee who is leaving the company, you may want to check and see if that person is attempting to take his source code with him. 1. Go to Capture > Advanced Search. 2. Select the Content category. 3. Select the Content Type element. 4. Select the equals condition. 5. Define the type of source code by selecting "?" and checking the appropriate boxes. Release 7.0.0.
Reconnex Corporation You can narrow the search if you know what kind of compression may have been used on the file(s). 6. Apply. 7. Select the green plus sign under the Content Type element. 8. Click on the "?" to launch the Content Type palette. 9. Check the possible file type(s) under Compressed and Archive Formats. 10. Apply. 11. Select the Protocol category. 12. Select the equals condition. 13.
iGuard/inSight User Guide FTP is commonly used to transmit large files, but other transport protocols can be selected from the Protocol palette. 14. Apply. 15. Search. If a match is found, your dashboard results will be launched. If not, a No Match Found status will be reported at the top of your dialog box. Release 7.0.0.
Reconnex Corporation Find Postings to Social Networking Sites Employees sometimes post personal information to popular online blogs and websites. To keep this from becoming a productivity problem, you can have iGuard find and report these postings. 1. Go to Policies > Concepts > Add Concepts. 2. Name the concept — use only uppercase characters. 3. Describe the concept. 4. Enter one or more expressions identifying the site. Use the Upload Expressions field for multiple sites. 5. Save.
iGuard/inSight User Guide NOTE: You can just type the concept into the Value field if you prefer. 7. Apply. 8. Search. Another approach is to use the factory default BLOGPOST concept instead. Currently it is set to recognize deadspin.com, fuckedcompany.com, digg.com and slashdot.org, but It can be edited by your technical service representative to find postings to any site you find problematic. Transmissions to specific sites can also be revealed by doing a simple URL search.
Reconnex Corporation done using Source and Destination IP addresses, whichhelp you to identify where your traffic is coming from and where it is going. 1. Go to Capture > Basic Search. 2. Pull down the Input Type menu. 3. Select Location. 4. Click on the "?" to launch the Values palette. 5. Select countries you think may be sending or receiving transmissions. Note: You can type in the names of the countries if you prefer, 4. 16 Apply. Release 7.0.0.
iGuard/inSight User Guide When you find related results, you can filter them to reveal additional patterns and give you a summary view of the results. 5. Select Group Detail from the dashboard header. In this case, the data is divided into content and location, and only the first five entries are shown. This changes the view of the data so that you can see what type of content was found and where it was sent. Note: Because IP addresses change continually, you will need to link a DHCP server to a 7.1.
Reconnex Corporation Find Traffic to Gambling or Adult-Oriented Sites Use of the Internet in the workplace has the potential to be a major distraction, allowing employees to play games, engage in online gambling, or visit adult-oriented sites. Some of these activities are automatically covered by standard policies (e.g., Acceptable Use, Legal, Human Resources), but searching network traffic using iGuard's standard concepts can help you find evidence of such activity quickly. 1.
iGuard/inSight User Guide Note: If you select more than one concept, a logical OR condition is implemented. This is indicated by the use of a comma between the two conceptsin the Value field. 7. Apply. 8. Search. When your results launch, they will include words and phrases found that were defined in the concept. Release 7.0.0.
Reconnex Corporation Find Transmission of Financial Information Searching using iGuard's standard concepts is a quick and easy way to find out if any of your financial information is at risk. 1. Go to Capture > Advanced Search. 2. Open the Content category. 3. Select the Concept element. 4. Select the equals condition. 5. Click on the "?" to launch the Values palette. 6. Select the four standard financial concepts. 20 Release 7.0.0.
iGuard/inSight User Guide These concepts contain words and phrases that identify a broad range of financial content. You can get an idea of what is contained in those concepts by going to Policies > Concepts > Factory Default for a summary of each. 7. Apply. 8. Search. . Get Statistics on Web Sites Visited You can do a custom search using any URL to find out how often that site is visited and by whom. 1. Go to Capture > Basic Search. 2. Select the Custom input type. 3. Enter the web site's URL.
Reconnex Corporation Investigate a User's Online Activity You may need to monitor online activity for an employee if you suspect company policies are being violated. You can do this by finding a UserID, email address, hostname or IP address to identify the user, then constructing a search to retrieve all information under that identifier. Go to Capture > Advanced Search. Open the Sender/Recipient category. Identify the user by selecting an Email address, UserID or IP address.
iGuard/inSight User Guide . 6. Click Search. You may prefer to target the search for specific elements by using a more complex command line query. In this case, the user's local hostname is known, so it is entered using the location identifier. To use the location function (loc:) to identify the user's hostname you must have DHCP enabled on a 7.1.x iGuard. Additional information can be added on the command line to narrow the query.
Reconnex Corporation But when you get the results of the search you are using to create the rule, you notice that your Finance department employees have every right to transmit and receive the data that others should not be touching. To exclude those employees from the search for sensitive financial information, you create an email alias under the Sender/Recipient category to represent them (if there were just one or two employees, you could use their email addresses instead).
iGuard/inSight User Guide Using the System If you are using an inSight Console, you are the central management point for multiple iGuards. The work generally done on standalone iGuards is shifted away from those managed mode appliances to make your network security easier to manage.
Reconnex Corporation Custom Dashboard Viewing You can rearrange the columns of the dashboard to give you the information you need at a glance. 1. On the Monitor dashboard, select the Edit Columns icon. 2. Use the table that launches to move the categories you consider most important to a default viewing configuration. For example, if you are searching for images, you may find the ThumbnailMatch column most useful. 26 Release 7.0.0.
iGuard/inSight User Guide Note: The Details column is crucial if you want to drill down into your results to access the original object that triggered the capture. Once you have decided on the columns you need, you can change their placement by selecting and moving them to different positions. Note: If you customize columns on the dashboard, the configuration will carry over to other pages. If you save reports, you can preserve those views and use them again.
Reconnex Corporation Get Incident Details When you open an incident, you can drill down into the item displayed to get more information. 1. On the line item on the Incident List, click on the Details icon. 2. Click on any link in the Incident Details window to get more information. In this case, you can see that a Word document has been transported as a Webmail attachment.
iGuard/inSight User Guide 3. If there is another link within that document, click it. The last link you are able to select is probably the database object that triggered the incident. 4. Click on the Match tab above the Incident Details. This shows you the text that was flagged by the capture engine. You can verify the captured text by opening the document from the Incident tab. Some part of that document may tell you why the incident was reported — for example Release 7.0.0.
Reconnex Corporation 5. Click on the Concepts tab above the Incident Details. If a concept was used to flag an incident, this tells you which one. 6. Click on the Case tab above the Incident Details. This shows you whether or not a case was filed on this incident, and if so, gives all of the relevant information about the case. 7. Click on the History tab above the Incident Details. This tells you who has looked at this incident and what action they took when viewing it. 30 Release 7.0.0.
iGuard/inSight User Guide Sort Incidents Use the Actions menu to sort any incident or group of incidents into a configuration that helps you to manage them more easily. When you assign attributes to an incident, you can extend its usefulness. For example, if an incident requires further investigation, you can assign a case to it and keep its status up to date by using the Modify Resolution menu.
Reconnex Corporation Find Transmissions between Users 1. Enter DestinationIP equals and enter an IP address. 2. Filter by SourceIP equals and enter an IP address. 3. Apply. If you do not have the IP addresses of the users you want to track, you could use Hostname, Sender, UserEmail, UserID in place of SourceIP and Destination IP. Find Posts to a Message Board 1. Select a time period within which the postings may have occurred. 2. Add a filter using the green plus sign. 3.
iGuard/inSight User Guide Find Office Document Violations 1. Select Content equals from the first two drop-down menus. 2. Check office document types in the window that launches 3. Apply. This filter would find whether or not Word or Excel documents with the subject "Price List" are found in captured data. Find Policy Violations by a Specific User This filter would find any violations of a specific policy by a specific user.
Reconnex Corporation Alternatively, you can mark them as false positives or mark for deletion later. Filter by Time Because iGuard captures everything on your network, you must limit the amount of data to be scanned. Start any viewing of incidents by first filtering by time. Note: Make sure you have captured data available for the period you specify. If you select a date range before your iGuard started capturing, you will not get any results. 34 Release 7.0.0.
iGuard/inSight User Guide Tip: If you are not getting results from a query, try resetting your timestamp filter. Besides selecting approximate dates, you can specify specific date ranges. Pull down the menu under Timestamp and select Custom Dates, then click on the "?" and select your starting and ending dates. Release 7.0.0.
Reconnex Corporation You can combine timestamp settings with Group by... attributes to expand your options. Filter by Group The Group by feature helps you to view your captured data in many different ways. iGuard is capable of capturing hundreds of different protocols, content types, and attributes. For example, selecting Content from the Group by menu shows you what file types have been captured in the current results.
iGuard/inSight User Guide This example shows that the Content grouping has been focused on Filename and Protocol, producing two hits with those attributes. You can combine timestamp settings with Filter by attributes to expand your options. Important: When you finish using a filter, clear them by selecting Clear All, or it will block all other results. Clear Filters Regularly When you finish using a filter, Clear All, or it will block all other results.
Reconnex Corporation Now that you see these violations listed, you may want to find out additional information - such as where the numbers are going, when they were sent, and whether or not your HR spreadsheets containing such numbers were among the documents sent. Add some options using the Filter by... utility to ask these questions. 2. Select the green plus sign to add a filter category. 3. Click on the red question mark to launch a palette of choices.
iGuard/inSight User Guide In this example, the user typed in "yahoo.com" to ask the system if any of the numbers went to an addressee at Yahoo. This user also clicked on the "?" to launch a content types menu, and selected Excel to find out if any of the numbers sent were in a spreadsheet attachment.
Reconnex Corporation Save a Report When you save a report, you are either exporting it to save its content or storing the settings you used to extract data from the captured data. When you save report settings, the resulting report is essentially a container using your filter and columnar configurations for viewing future results. Important: To save the content of your dashboard data, use the export to PDF and export to CSV features. 1. To save a report, click on the Save Report button on the dashboard.
iGuard/inSight User Guide My Reports The reports listed under Monitor > My Reports may have been scheduled for you, or you may have sent them to yourself. These report views can be used to regularly monitor the events you consider significant. From these views, you can print and save reports. Reconnex provides some default report types that you can use to see how the dashboard views change when you use filtering and custom configurations.
Reconnex Corporation Just check the box of the report you want to share and check the names of the users on your team who would like to use it to find new incidents. Once a new view is saved My Reports, It can also be scheduled or sent to any user at regular intervals. Schedule a Report If you schedule a report you want to view on a regular basis, you can get an evolving picture of how the incidents and violations that are flagged by the capture engine change over time. 1.
iGuard/inSight User Guide 3. Add a new filter by clicking on the green plus sign. 4. Enter Policy and equals in the first two fields. 5. Type Financial Information in the third field. 6. Apply. 7. On the dashboard, Save Report. 8. Enter a report name. 9. Select Schedule. 10. Add report type, scheduling and notification information. 11. Apply. Your report will run daily and notify you or the person you designate if it finds anything.
Reconnex Corporation 4. Pull down the File menu and print, save the page, import or send a link to it. Once you have captured the ASCII output, you can import it into a spreadsheet, database or a word processing program . Export a PDF Report When you save a report, you are either storing the settings you used to extract data from the dashboard, or you are exporting it to PDF or CSV to save its content. You can save any of the incident views (Incident List, Incident Summary, Group Detail) as a PDF report.
iGuard/inSight User Guide 3. Update. 4. Select Report Options. 5. Select Export as PDF from the menu. Note: By default, the PDF launches in a web browser. The browser's navigation bar functionality can be used, but it is not as powerful as the features available in the Acrobat toolbar. Release 7.0.0.
Reconnex Corporation Your company information appears at the bottom of the report. 46 Release 7.0.0.
iGuard/inSight User Guide 6. Save a copy, print, zoom, or process your report using any of the other Adobe toolbar icons. Send Notification of a Report You can schedule a report to run on a regular basis, create PDF or CSV reports, and email the results. 1. From the dashboard, select a report from the pull-down menu, or create a new report. 2. Go to Save Report. 2. In the Report Properties window. check the Schedule Reports box and schedule the report. The dialog box will expand. Release 7.0.0.
Reconnex Corporation 3. Enter the sender and recipient email addresses. For multiple addresses, use a comma with no space. 4. Add a subject and message. 5. Save. Your notification will be sent with the report(s) attached. Copy Report Views to Users You may find one or more reports useful enough to pass along to others. For example, suppose your HR Report is catching a lot of items that may be of interest to your legal team. 48 Release 7.0.0.
iGuard/inSight User Guide Just check the box of the report you want to share and check the names of the users on your team who would like to use it to find new incidents. Once a new view is saved to My Reports, It can also be scheduled or sent to any other user at regular intervals. Delete a Report Any report that is listed under Monitor > My Reports can be deleted by checking its box and selecting Delete from the pull-down menu above it.
Reconnex Corporation Create a Case from the Incident List 1. To create a case from the Incident List, just select the incidents you want to investigate. 2. Pull down the Actions menu and select Assign to Case > New Case. 3. In the case window, name and describe the problem. 4. Assign an Owner. 5. Select a Resolution state. 6. Define the Status. 7. Indicate urgency of the case. 8. Add keywords, if any. 9. Notify the submitter, if desired. 10. Apply. 50 Release 7.0.0.
iGuard/inSight User Guide After you Apply the case, the Case List launches, showing you that the case has been added to the list. Note: You can customize columns for your cases if you want to change the configuration of the information. Create a Case Cases are most easily created directly from the Incident List. But you may want to create an empty case to notify a colleague that an investigation must be started on a certain matter. 1. Go to Case > Actions > New Case. 2.
Reconnex Corporation 3. Apply. After you Apply the case, the Case List launches, showing you that the case has been added. Note: You can customize columns for your cases if you want to change the configuration of the information. Assign a Case You can assign an incident to a case, or you can assign a case to a new owner. Assigning an incident to a case is essentially the same as opening one. 1. Select one or more incidents. 2. Pull down the Actions menu. 3. Select Assign to Case > New Case.
iGuard/inSight User Guide 4. Enter Case Details. 5. Apply. The Case List will launch, displaying the new case. Export and/or Download a Case 1. To export a case, check its box in the Case List. 2. Pull down the Actions menu and select Export Selected Cases. 3. Confirm or cancel the export. The list of exported files will launch. Release 7.0.0.
Reconnex Corporation Note: Processing time depends on the size of the file. If you have to wait for completion of the export task, the Status column will tell you it is In Progress. 4. Click on the zip file to open it, or save it to disk. 5. Click OK. Note: You must have permission to export cases. To check your permissions, go to System > System Administration > User Administration > Users and click Details to find out what group you are in.
iGuard/inSight User Guide Then you notice that two American Express numbers were located by another regulatory policy, GLBA Compliance. You can add those two American Express incidents to the Visa and MasterCard incidents already in the case. 1. Go to the Monitor tab. 2. Select one or more incidents. 3. Pull down the Actions menu. 4. Select Assign to Case > Existing Case. The Case List will launch showing the available cases. 4.
Reconnex Corporation The Case Details window will launch under the case to which the incident has been assigned. 5. Update the case details and add an explanatory note, if desired. 6. Apply. 7. Clear Filters. The original case list will reappear. 8. Select the Details icon of the case. 9. Scroll down further, below the Case Details, to get more information on the update. 10. Select a tab to see what new information was added to the case.
iGuard/inSight User Guide Change Owner of a Case 1. Go to the Case tab. 2. Select Details for the case you want to modify. 3. Under Case Details, pull down the Owner menu. Groups or individual users may own cases. 4. Select the new owner. 5. Apply. Tip: If the owner you want to select is not listed, add a new user, then return to this window and complete the reassignment process. Change Priority of a Case 1. Go to the Case tab. 2. Select Details for the case you want to modify. 3.
Reconnex Corporation 4. Select the new resolution. 5. Apply. Change Status of a Case 1. Go to the Case tab. 2. Select Details for the case you want to modify. 3. Under Case Details, pull down the Status menu. 4. Select the new status. 5. Apply. Before Searching Because iGuard captures everything on your network, there are vast amounts of searchable data available to you. To get meaningful results, you should start by narrowing down the amount of captured data.
iGuard/inSight User Guide Command line identifiers can be used alone or as part of a complex query. Example: Find Word documents containing credit card numbers that originated from Reconnex and left the United States, but did not go to Germany. concept:CCN cont:MSWord sloc:Reconnex\ California -dloc:Germany,United\ States.… Command Line Identifiers Use the following identifiers on the Basic Search > Custom command line.
Reconnex Corporation Protocol Option proto: Search by protocol Example On the Basic Search > Custom line, enter the protocol identifier followed by a protocol: proto:FTP,HTTP Dimension Options Size Option size: Search by content size or range Example On the Basic Search > Custom line, enter the size identifier followed by a size in kilobytes: size:1024-2000 Time Option gmtime: localtime: Search by time and date Example On the Basic Search > Custom line, enter a local or Greenwich Mean time i n a tex
iGuard/inSight User Guide concept: Search by concept Example On the Basic Search > Custom line, enter the concept identifier followed by a standard or custom content type: concept:SSN,CCN,URL,ZIP Country Codes for Location Searching Command line location queries require the following country codes.
Reconnex Corporation Central America and the Caribbean Anguilla AI Antigua and Barbuda AG Aruba AW Bahamas BS Barbados BB Belize BZ Cayman Islands KY Costa Rica CR Cuba CU Dominica DM Dominican Republic DO El Salvador SV Grenada GD Guadeloupe GP Guatemala GI Haiti HT Honduras HN Jamaica JM Martinique MQ Monserrat MS Netherlands Antilles AN Nicaragua NI Panama PA Trinidad and Tobago TT Turks and Caicos Islands TC Saint Vincent and the Grenadines VC Saint Kitt
iGuard/inSight User Guide Middle-East and Asia Afghanistan AF Armenia AM Azerbaijan AZ Bahrain BH Bangladesh BD Bhutan BT Brunei BN Cambodia KH China CN Georgia GE Hong Kong HK India IN Indonesia ID Iran IR Iraq IQ Israel IL Japan JP Jordan JO Kazakhstan KZ Korea, Democratic People's Republic KP Korea, Republic of KR Kuwait KW Kyrgyzstan KG Lao People's Democratic Republic LA Lebanon LB Libyan Arab Jamahiriya LY Macau MO Malaysia MY Mongolia MN Myanmar
Reconnex Corporation Palestinian Territory PS Philippines PH Quatar QA Saudi Arabia SA Singapore SG Sri Lanka LK Syrian Arab Republic SY Taiwan TW Tajikistan TJ Thailand TH Turkmenistan TM Turkey TR United Arab Emirates AE Uzbekistan UZ Vietnam VN Yemen YE Asia-Pacific American Samoa AS Asia_Pacific Region AP Australia AU British Indian Ocean Territory IO Cook Islands CK Fiji FJ French Polynesia PF French Southern Territories TF Guam GU Kiribati KI Marshal
iGuard/inSight User Guide Norfolk Island NF Northern Mariana Islands MP Palau PW Papua New Guinea PG Samoa WS Solomon Islands SB Tokelau TK Tonga TO Tuvalu TV United States Minor Outlying Islands UM Vanuatu VU Wallis and Futuna WF Africa Algeria DZ Angola AO Benin BJ Botswana BW Brunei, Dar Es Salam BN Burkina Faso BF Burundi BI Cameroon CM Cape Verde CV Central African Republic CF Chad TD Comoros KM Congo CG Cote D'Ivoire CI Djibouti DJ Egypt EG Equator
Reconnex Corporation Ghana GH Guinea GN Guinea_Bissau GW Kenya KE Lesotho LS Liberia LR Madagascar MG Malawi MW Mali ML Mauritania MR Mauritius MU Morocco MA Mozambique MZ Namibia NA Niger NE Nigeria NG Reunion RE Rwanda RW Sao Tome and Principe ST Senegal SN Seychelles SC Sierra Leone SL Somalia SO South Africa ZA Sudan SD Swaziland SZ Tanzania TZ Togo TG Tunisia TN Uganda UG Zambia ZM Zimbabwe ZW 66 Release 7.0.0.
iGuard/inSight User Guide Antarctica Antarctica AQ Bouvet Island BV Heard Island and McDonald Islands HM Europe Albania AL Andorra AD Austria AT Belarus BY Belgium BE Bosnia and Herzegovina BA Croatia HR Cyprus CY Czech Republic CZ Denmark DK Estonia EE Europe EU Faroe Islands FQ Finland FI Germany DE Gibraltar GI Greece GR Greenland GL Holy See (Vatican City State) VA Hungary HU Iceland IS Ireland IR Italy IT Latvia LV Liechtenstein LI Lithuania LT Lux
Reconnex Corporation Malta MT Moldavia MD Monaco MC Netherlands NL Norway NO Poland PL Portugal PT Romania RO Russian Federation RU San Marino SM Serbia and Montenegro CS Slovakia SK Slovenia SI Spain ES Sweden SE Switzerland CH Ukraine UA United Kingdom GB Yugoslavia YU Create Compound Queries Each of the Advanced Search categories allows you to do multiple searches. Click on the green plus icon at the end of the Value line to add another query.
iGuard/inSight User Guide Yahoo version 8.1.0.421 • AOL version 4.7.2517 • MSN/Windows Live messenger 8.1.0178 • Windows Messenger 4.7.3001 Distributed Searching On inSight, you can do searches on any of the iGuards attached to your console. The search procedures used are the same as those used on standalone iGuards. If you are doing a Basic Search, you are searching all of the iGuards attached to your inSight Console by default.
Reconnex Corporation Alternatively, you can use the expression condition to type in the name of a standard or custom concept after the concept: identifier. 4. Add a Value. Tip: If you prefer to type in multiple concept values, use a comma (logical OR) without a space to separate them. 5. Search. Tip: You can extend any concept search by using logical operators with compound concepts in the expressions field to construct more complex search scenarios.
iGuard/inSight User Guide Note: If you are entering these content types manually, they must be typed exactly as they appear in this table. Changing case for a single character would cause the query to fail.
Reconnex Corporation Content Types Formats C++_Source, Cobol_Source, FORTRAN_Source, Java_Source, JavaScript, LISP_Source, Pascal_Source, Perl_Source, Python_Source, Think_C, Think_Pascal, Verilog_Source, VHDL_Source, XQuery_Source Mail and Chat Classification AOL_Chat, Eudora, IMAP, IMAP_Cache, MIME, MSExchange, MSN_Chat, MSOutlook, POP3, RFC822, SMTP, WebMail, Yahoo_Chat GUI Desktop Icon, Cursor, ACursor Search by Digest A message digest is a compact digital signature used to provide assurance that
iGuard/inSight User Guide iGuard assigns three tokens to each email address: the username, hostname, and domain name. By doing a keyword search, you can find incoming or outgoing email by specifying one or more components of the email address. The search terms must be separated by a space, which implicitly denotes the AND logical operator. Go to Capture > Basic Search > Input Type > Keywords. This example will find all email from Reconnex and all mail from any address with a *.com domain extension.
Reconnex Corporation Search by IP Address You can search for individual IP addresses, a subnet, or a range of addresses. Note: IP address options can take input in the form of individual addresses separated by commas and ranges separated by commas or dashes (e.g., sip:192.168.1.1,192.168.1.2 or sip: 192.168.1.1-192.168.1.255). Go to Capture > Basic Search > Input Type > IP Address and enter an IP address. For multiple addresses use a comma; for a range of addresses use a dash.
iGuard/inSight User Guide Find all of the words In this search, the AND operator is implied. Because the query does not utilize the Exact Match function, the terms may be found in any order. Find the exact phrase NOTE: All operators, including Exact Match, are case-insensitive. This means that if you search for a term in ALL CAPS, the system will return that term not only in all caps, but initial caps and/or lowercase as well.
Reconnex Corporation Find at least one of the words \ 76 Release 7.0.0.
iGuard/inSight User Guide Without the words Search by Location To search by location, go to Capture > Basic Search > Input Type > Location. Note: You can select countries using the "?" at the end of the dialog box, or you can type them in using the country codes. To do an advanced search by location, go to Capture > Advanced Search > Sender/Recipient > Element > Location. You can use this option to narrow your search based on sender or recipient. Release 7.0.0.
Reconnex Corporation Search by Port Number Because IANA (Internet Assigned Numbers Authority) maintains a list of well-known port numbers used by UDP and TCP to identify specific processes, you can use a search by port number to find data transmitted by certain services. Common port assignments Service Port # FTP 20/21 SSH 22 Telnet 23 SMTP 25 HTTP 80 HTTPS 443 POP3 110 NTP 123 NNTP 144 IRC 6667 To do a port search, go to Capture > Advanced Search > Protocol and select the Port element.
iGuard/inSight User Guide Search by Protocol Searching for a protocol in captured results will return all traffic transmitted using that protocol. You can get results containing specific subsets of a protocol (e.g., HTTPS, HTTP_post, HTTP_response, etc.) or all subsets of that protocol. Note: Some protocols have subsets (e.g., FTP_response, FTP_request, etc.). Of these, only FTP, SMTP, POP3 and IMAP are supported from the command line.
Reconnex Corporation Search by Time All objects captured by iGuard are time-stamped. Defining a time period will narrow down the amount of information you are querying, so it should be the first step in defining any search. You can specify a time relative to your current time, or you can specify an exact time. IMPORTANT: Even if a pull-down menu is set to "Anytime," that search term applies only to the time span you have already set under Monitor > Filter by... .
iGuard/inSight User Guide Search by User ID If you know a user's handle, you can search for it. Go to Capture > Advanced Search > Sender Recipient. You can also add related queries that may help you to locate the user - for example, a mail client. Search for Images Images can be searched most efficiently by using their file types. Go to Capture > Advanced Search > File Information > File Type.
Reconnex Corporation Once it is created, you can then use that template repeatedly instead of creating the same query multiple times. Search for Fleshtone Images If you are looking for pornographic content or advertising imagery, you can do a search for fleshtones. Note: Because the standard rules used for finding fleshtones may retrieve too many results, they are deactivated by default. These rules are part of the Acceptable Use policy. 1. Go to Capture > Advanced Search > Content > Concept. 2.
iGuard/inSight User Guide 4. Apply. 5. Search. Search Limitations Like other search engines, iGuard has some capacity and character limitations. 1. The search limitation for all iGuards is 1000 results at a time.This limitation is shared by all users. 2. Only 256 searches can be saved as rules. To create more rules by saving searches, you must delete some existing rules. This limitation includes the standard rules that are packaged with each appliance. 3.
Reconnex Corporation /> ]]> markup * control characters / escape characters If you enter any of these characters you may get the following error messages: >>Invalid character(s) in the input for the field; or Search did not complete. Word Limitations The following limitations and exceptions are customizable by Reconnex Service Representatives. Word Stemming Incomplete or partial words cannot be searched. Words in their entire form or stemmed are required.
iGuard/inSight User Guide If your search takes more than 30 seconds to complete, the process will be backgrounded and you will be notified when it is complete. A link to the results is sent to the email address of the user who is logged in. The address it is sent to is displayed under System > User Administration > Users > User Information.
Reconnex Corporation You can develop that template by experimenting with multiple search terms. The following example contains three separate queries that define the three conditions that make up the concept "China Traffic". When the "China Traffic" template is used in the Advanced Search window, the capture engine will look for all three of these elements before returning a result matching that description. To use the template, you only have to type it in or select it from the Value "?" palette.
iGuard/inSight User Guide Examples mailfrom:John AND mailto:Mary + "Confidential" subj:"Technical Support" || "Administrative Support" cc:John bcc:Mary && "Human Resources" URL:"microsoft updates" prot:HTTP_Post Note: You cannot use AND operators between URLs and email fields. Use Logical Operators Use logical operators to form your keyboard query.
Reconnex Corporation What are Policies? Policies are sets of rules that search your data stream for specific incidents or violations. On iGuard, the standard policies are already created for you and activated by default. The initial results you see on your dashboard are incidents that were found by the rules in each policy. There are two types of policies. Regulatory policies are provided by the iGuard system and are owned by administrators.
iGuard/inSight User Guide Electronic Risk Modules (ERMs) ERMs Electronic Risk Modules refer to packages of standard policies available on your system. Each ERM is made up of a collection of related rules that monitor a specific type of activity on your network. The default policy set is listed under the Policies tab. ERMs are related to specific areas of business practices or unique industry niches.
Reconnex Corporation Think of the inheritance state as a toggler. If a rule's Inherit Policy State is Enabled, it means the rule reflects whatever state the policy is in. If it is Disabled, the inheritance link between policy and rule is broken. There are two models for managing the inheritance properties of rules and policies. One is policybased and the other is rule-based.
iGuard/inSight User Guide 4. Select an activation state. 5. Select a publication state by checking a deployment box under Devices. 6. Save. A window is launched showing that your new policy has been added to the list of existing policies. View a Policy You can see what rules make up a particular policy if you open it. 1. Go to the Policies tab. 2. Select a policy. 3. Scroll down in the Edit Policy window. The rules for that policy are listed under the policy definition.
Reconnex Corporation Delete a Policy There are two ways of deleting a policy. Note: You can delete a policy only if you own it. 1. Go to the Policies tab. 2. Select the Trash icon on the line of the policy you want to delete. or 1. Check the box of the policy you want to delete. 2. Pull down the Actions menu and select Delete. Execute a Policy The ability to execute a policy is determined by the permissions that are set for the group or groups to which a user belongs.
iGuard/inSight User Guide If you are not seeing the machine you need to publish a policy to, you must first add that device to the network. 4. Save. Unpublish a Policy If you are administering a system from an inSight appliance, publishing policies tells each iGuard or Discover appliance on your network what kind of incidents and violations you want its capture engine to find. If you wish, you can publish different policies to each appliance, or you can unpublish those you do not need.
Reconnex Corporation 3. Type in the new name. When you start typing, a Save As button will appear. Before saving, make any other changes needed to Owner, State, or Device deployment. 3. Save As. A window will be launched warning you that changing the name of a policy will keep you from viewing incidents related to the original policy. 4. Cancel or select OK to proceed. The renamed policy will be listed in the same position as the original policy.
iGuard/inSight User Guide 3. Fill in a new name and description. A Save As button will be added when you start typing the new name. 4. Before saving, make any other changes needed to Owner, State, or Device deployment. 5. Save As. A window is launched displaying your new policy added to the list of existing policies. When you open that policy, you will see that although the settings were copied, the rules were not. Change Ownership of a Policy 1. Go to the Policies tab. 2.
Reconnex Corporation 3. Save. The policy list that is launched will show the change in ownership in the Owner column. Note: You can change the ownership of a policy if you are not the owner, but only if the owner has assigned a policy edit permission to the group to which you belong. What is a Rule? A rule is a component of a policy that specifies exactly what data is to be found on the network.
iGuard/inSight User Guide Note: Rule state is especially significant because you cannot run more than 256 active rules. To activate a 257th rule, you must deactivate an active rule. View Rules All rules are components of policies. To view individual rules: 1. Go to the Policies tab. 2. Click on a policy to open it. 3. Scroll down (if necessary) to view its list of rules. 4. To see what is in a rule, click on the rule name.
Reconnex Corporation 3. Save Search. 4. Give the new rule a name. Important: The characters * % @ + # ? , ' " cannot be used in name fields. 7. Using the drop-down Policy menu, attach the new rule to a policy. In this case, you might file the new rule under a policy like Suspicious Activity. 7. Use the drop-down menu to set the Severity. 8. Specify the Inherit Policy State.
iGuard/inSight User Guide 1. Go to the Policies tab. 2. Click on a policy. 3. Click on a rule you want to tune, or Add Rule. 4. If not already set, change the Inherit Policy State to Disabled. 5. Define the rule by setting conditions. Tip: Each iteration of the rule should reflect your "best guess" of the parameters that will yield the results you want. 6. Save. 7. Click on the rule to launch the Edit Rule window. 8. To start testing the rule, Execute search. 9.
Reconnex Corporation In this case, you are excluding the Director of Human Resources, anyone on the Human Resources alias, and a group of addresses in a department that may be transmitting company 9-digit part numbers that resemble Social Security numbers. Note: You might want to abbreviate this task by using existing user groups or creating templates to set up departmental aliases. 6. Save. 7. Click on the rule to launch the Edit Rule window. 8.
iGuard/inSight User Guide 2. Click on the name of the policy to open it. 3. Click on the name of the rule. 4. Select the Trashcan icon of the rule you want to delete. 5. Confirm or cancel the deletion when prompted. What is an Action Rule? An action rule is an extension of an active rule that defines some action that will be taken if a rule produces a Hit. It is enabled by Active Directory.
Reconnex Corporation 6. If you have a pre-configured Prevent setup, you may capture identities of Manager, Reviewer, Sender and/or Recipients by checking one or more boxes under the "To" field. Consult your administrator to find out if this feature is available to you. 7. You can plug dynamic variables into the Subject and Message fields to cover a variety of situations. 8. Add Subject and Message lines using dynamic variables, or just type in the information you want to convey. 9.
iGuard/inSight User Guide 15. If you have a pre-configured Prevent setup, you may extend notification by assigning a Prevent Policy. Consult your administrator to find out if this feature is available to you. 16. Save. The new action rule will be displayed in the window that is launched. 17. Apply the action rule. Apply an Action Rule To activate an action rule, you must apply it to an existing rule. 1. Go to the Policies tab. 2. Click on a policy to launch the Edit Policy window. 3.
Reconnex Corporation 6. Click on the Action you want to apply. 7. Save. The new action rule is immediately added under the rule's Actions tab. Note: The rule must be in an Active state to perform the action. If it is not, activate it. Delete an Action Rule You can either delete an action rule, or you can just delete the application of the action rule. Delete an action that is applied to a rule 1. Go to the Policies tab. 2. Click on a policy to launch the Edit Policy window. 3.
iGuard/inSight User Guide 4. Confirm or cancel the deletion. What is a Concept? Concepts are pattern-matching devices that use text patterns and/or regular expressions to pull related objects out of captured data. For example, credit cards use a wide range of different numbering patterns. When all of those patterns are collected into a single concept and applied against captured data, any credit card number on the network can be easily recognized.
Reconnex Corporation Consumption CREDIT-REPORT Credit report information identifying agencies DATE-OF-BIRTH Terms pertaining to Date of Birth – used with other attributes to detect personal information DINERS Non-numeric terms pertaining to Diners Club credit cards DISCONTENT Key phrases used to indicate frustration and discontent.
iGuard/inSight User Guide JCB Non-numeric terms pertaining to JCB credit card expression LAST-NAME Terms pertaining to last name identifiers to detect large lists of people. This is used with other combinations of attributes.
Reconnex Corporation SECURITY-AGENCIES Terms that identify mention of security agency domains, e.g. – nsa.gov, cia.gov, etc.
iGuard/inSight User Guide 6. Upload expressions (optional). Tip: The Upload Expressions function will save you a lot of time if your concept requires a lot of definitions — for example, a list of email addresses you want to match. 7. Add regular expressions using the short list in the Add Concept window, or the more comprehensive list in the regular expressions topic. 8. Validate your regular expressions against a real part, product or document number.
Reconnex Corporation Concept Conditions Applying conditions to concepts you have constructed help you to exert greater control over your queries. When you impose conditions on a concept, iGuard will report a match only if the expressions you defined are found under the conditions you define. Before you impose conditions on a concept, you must edit an existing one or add a new one. 1. Go to the Policies tab. 2. Click on Concepts. 3.
iGuard/inSight User Guide 8. Define the number of bytes from the beginning of the captured object in which you want iGuard to find the expression, e.g.: 9. Compare a concept to another expression to define a relationship between the two. In the following example, iGuard will report a match only if a part number is found within exactly 1000 bytes of a Visa number.
Reconnex Corporation \w any alphanumeric \c or \d \W not alphanumeric ^\w \s any space [\ \f \n \r \t] \S not any space ^\s \p any space or field delimiter [\ -\\ :-@ \[-‗ {-~ ] \P not any space or field delimiter ^\p \i case sensitivity off \I case sensitivity on […] character sets, e.g. [3-6a-c] = 3,4,5,6,a,b,c x-y character ranges T-X = T,U,V,W,X ^ invert, e.g.
iGuard/inSight User Guide 5. Enter the hostname as it will be found in the header. 6. Save. 7. Verify that the new concept is added to your list of user-defined concepts. Now you can use the concept in a search or rule so you can stay on top of the problem on a daily basis, if needed. You may want to combine this concept with a search for office documents to capture the content that is being posted. Example 1. Go to Capture > Advanced Search. 2. Select Content > Element > Concept. 3.
Reconnex Corporation Now you can add a new element to use your BLOGPOST search in combination with a query for Microsoft Word documents that may be going going to the Deadspin website. 4. Add an element by clicking on the green plus sign. 5. Select Content Type and equals from the element menus. 6. Add a value to define the type of documents you think might be posted. You can either type in a format, or select one or more from the palette that launches from the "?". 7. Search or Save Search.
iGuard/inSight User Guide To view any incidents that are generated by the rule, go to Monitor and Group by Rule. When you find a matching incident, you can verify that it is returned from the BLOGPOST_DEADSPIN concept by selecting it and clicking on the Concept tab. What are Templates? Templates are used to save keystrokes when searching, adding rules or creating capture filters. They contain collections of elements that would otherwise have to be typed in repetitively.
Reconnex Corporation Tip: Click on the template name to see what it contains. Create a Template Searching or creating rules, concepts or capture filters can be a tedious task if you have to enter related terms repetitively. You can save keystrokes by distilling repetitive operations into a template. Tip: You can use a template to extend any repetitive operation.
iGuard/inSight User Guide 2. Click on Templates. 3. Click on Create New Template. 4. Name and describe the template. Important: The characters * % @ + # ? , ' " cannot be used in name fields. 5. Select a Component Type. This selection puts your template into a category so that iGuard can recognize the type of data you want to focus on. 6. Construct the elements and conditions of the template to tell iGuard what you are watching for in the subject's transmissions.
Reconnex Corporation Now that your template is defined, you can pick it up from the "?" palette launched from the end of Value lines when searching, building rules or creating capture filters. Delete a Template 1. Go to Policies > Templates. 2. Check the box of the template you want to delete. 3. Pull down the Action menu and selected Delete. Alternatively, you can click on the template's Trashcan icon. 118 Release 7.0.0.
iGuard/inSight User Guide Managing the System You can use the System tab on your inSight or iGuard to monitor the health of your systems, tune them for better performance, monitor and manage traffic, and administer users and user groups. To get a start on learning how to manage the system, try to become familiar with these core topics.
Reconnex Corporation When iGuard interfaces are silent, no data is flowing through the capture ports. If this is being reported repetitively, the problem may be solved by restarting the system from the System > System Monitor > More > Utilities > Restart/Shutdown. Alert Types Any alert type can be set up and reported to any user on a regular basis. If different types of alerts are set up to notify a user, they are combined and sent according to the alert with the highest priority.
iGuard/inSight User Guide 7. Check one or more boxes from the palette to define the alert subcategory. 8. Click on the palette's Apply button. 9. Click on the Apply button on the Filter by... title bar. Important: After you have finished using the filter, clear it so that you can get a new set of results. 10. Click on Clear All. Set Up Alert Notification To set up an alert notification, first check the list of available recipients at System Monitor > Alerts > Actions > View Alert Recipients.
Reconnex Corporation 5. Save. 6. Verify that the alert notification is added to the list of recipients that is launched. When an alert is sent, the format of the email received is based on type of alert sent. This message is notification of a critical alert, and it is sent as soon as the alert is received by the system. Manage Users and User Groups Reconnex inSight and iGuard are role-based, multiuser systems.
iGuard/inSight User Guide 1. Create users and user groups. 2. Add an LDAP server (optional). 3. Create LDAP users (optional). 4. Set permissions. User Group Design Before creating a new user group scheme, it would be a good idea to familiarize yourself with the task and policy permissions that are the basis for assigning inSight and iGuard privileges.
Reconnex Corporation These role-based user groups are supplied only as a suggested uniform framework for multiple user roles. You can redefine them, add other named groups, or ignore them. Add a User Group Administrator status is required to add new user groups. 1. Go to System > User Administration > Groups. 2. Pull down the Actions menu. 3. Select Create New Group. 4. The Group Information dialog box will launch. 5. Add the name and description of the new group. 6.
iGuard/inSight User Guide 8. Click Add to the Current Members pane. 9. Select Update. 10. Verify that the new group is added to the Groups list. Assign Permissions All resources available for assignation are listed under the Tasks Permissions or Policy Permissions tabs. They are assigned only through groups, so the user group design initially determines all privileges. Note: All users inherit the permission levels of the groups to which they have been assigned.
Reconnex Corporation Role-Based Multi-User Access Role-based multi-user access allows assignation of varying levels of access based on user roles in the organization. Each class of users, or user group, can be allocated a different set of privileges. For example, some user groups may be allowed to view only reports relating to their own operations, while others may have complete control of all of an organization's tasks and resources. Six preconfigured role-based user groups are provided as templates.
iGuard/inSight User Guide 5. Click the down arrow to display the permissions list. 6. Check or clear the boxes corresponding to the permissions you want the user group to have. 7. Save. Policy Permissions All of the policies and rules shipped with the inSight or iGuard system are owned by administrators, who have complete privileges to manage all policies, rules, action rules, concepts, and templates. The available policies are the ERMs Electronic Risk Modules your organization has requested.
Reconnex Corporation 6. Update. Tip: If the user doesn't fit logically into the available groups, you must add a new group. 7. Verify that the new user is added to the list that is launched. Change Password or Profile After your user account is set up by an administrator, you can make changes in your profile. 1. Go to System > User Administration > Users. 2. Select Details. 3. Make the needed changes in the User Information dialog box. 4. Update. 128 Release 7.0.0.
iGuard/inSight User Guide Create a Failover Account If the link between the inSight Console and its iGuards is broken, the default failover account can be used to login to the iGuards. Note: The failover account is enabled by default for your convenience. If you do not want to have backdoor access from inSight to your iGuards, you can disable it by disallowing logins. If logins are not allowed and a login attempt is made, an error message will be launched advising that the capability has been turned off.
Reconnex Corporation 2. Select the Detail link opposite your username in the navigation bar. 3. Note your Current Group Membership. 4. Go to System > User Administration > Groups. 5. Select the Detail link opposite your user group(s) in the navigation bar. 6. Select the Task or Policy Permissions tab. 7. Expand the lists of resources by clicking on the drop-down arrow. 8. Note the boxes checked indicating the privileges allocated to your group(s).
iGuard/inSight User Guide Any of the following actions may be cited on the User Audit Log page. Recognized User Activities 1. View device list 2. Add a device 3. Edit a device 4. Delete a device 5. View statistics 6. View statistics details 7. View system logs 8. Delete system logs 9. View Alias list 10. Create Alias 11. Modify Alias 12. Delete Alias 13. View DHCP server list 14. Create DHCP server Release 7.0.0.
Reconnex Corporation 15. Modify DHCP server 16. Update DHCP server 17. Delete DHCP server 18. View Capture filter list 19. Create Capture filter 20. Modify Capture filter 21. Update Capture filter 22. Apply Capture filter 23. Delete Capture filter 24. Restore Factory defaults 25. Show system configuration 26. Modify system configuration 27. Modify Management IP 28. Modify Wiping policy 29. View Utilities 30. View kernel version 31. View system uptime 32. View application version 33. View user audit logs 34.
iGuard/inSight User Guide 50. Delete user group 51. View group permissions 52. View group task permissions 53. View group policy permissions 54. View user permissions setup 55. Update user/task permissions 56. View LDAP servers 57. Add LDAP domain 58. Modify LDAP server 59. Delete LDAP server 60. Export/Import policy rule 61. Modify info (My Info) 62. View Failover setup 63. Update Failover setup 64. Export/Import policy rule manually 65. View runtime rules on iGuard 66. View config rules on inSight 67.
Reconnex Corporation 85. Schedule a policy 86. De-schedule a policy 87. View export schedule search page 88. Download exported file 89. Fetch document 90. View adhoc keyword search page 91. Adhoc keyword search 92. View adhoc mail search page 93. Adhoc mail search 94. View adhoc image search page 95. Adhoc image search 96. View adhoc ip address search page 97. Adhoc ip address search 98. View create policy page 99. Create policy 100. View modify policy page 101. Modify policy 102. Delete policy 103.
iGuard/inSight User Guide 120. View incident annotations 121. View incident cases 122. Modify case 123. Mark incident as read 124. Mark incident as unread 125. Mark incident as false positive 126. Mark incident for deletion 127. Delete incident /Re-Incident Delete 128. Show create dashboard views page 129. Display dashboard view 130. Delete dashboard view 131. Save dashboard view 132. Show file upload page 133. Upload file 134. Cancel file upload 135. View scheduled reports 136.
Reconnex Corporation 155. View risk summary 156. View network summary 157. View case summary 158. View case list Audit Log Editing You can edit the audit log so that you can isolate the actions you want to inspect and eliminate those that do not provide any useful information. Note: You can keep users from deleting their own records by setting their permissions. Assigning such users to groups without administrative privileges would achieve this aim.
iGuard/inSight User Guide keep them up-to-date. Audit Log Filtering If you are an inSight administrator, you will want to maintain control over the system at all times. The user logs tell you who has logged into each iGuard and when, and each action taken by the user is recorded. You can also edit the log to focus on specific user activities. For example, the user log may tell you that user Bob logged on, looked at a report, and did some searching.
Reconnex Corporation Note: If you want to add more than one item, separate them with a comma (no space). 8. When you have finished filtering, Apply. 9. Review the log and repeat the action until you get the information you need. Important: Don't forget to Clear All before creating another filter. System Administration Administering your system is now a point-and-click operation from the System Administration dashboard. To make changes, select the Configure or the Advanced link.
iGuard/inSight User Guide 5. Update. Setup Wizard Method 1. Go to System > System Administration. 2. On the list of appliances, find the inSight or iGuard you want to configure. 3. Click on the Configure Link. 4. Click on the Setup Wizard button (above the dialog box at the right-hand side). 5. Make host and network changes on the Step 2 page. 6. Click through the remaining pages with Next. 7. When you have finished making changes, click Submit.
Reconnex Corporation What are Capture Filters? There are two capture filter types. They are generally used to define significant portions of network traffic that do not need to be analyzed by the capture engine. Eliminating processing of this extraneous traffic improves iGuard's performance. Although capture filters are most often used to screen out classes of information that can obscure significant content, they are sometimes used to scan for and store critical data.
iGuard/inSight User Guide Drop Element excludes all data associated with an element. For example, your network may have a large cache of video files that you know are not a security threat because you have controlled them with configuration management software. You can set up a filter that will pass over any of these secure files, saving time and resources for analyzing data at risk. Drop Session excludes an entire session from the data stream.
Reconnex Corporation This filter excludes images in BMP and GIF formats. Ignore HTTP Gzip Responses This filter excludes HTTP Gzip responses. This keeps the system from opening compressed files more than once. Standard Network Capture Filters Transport (level 3) traffic can slow iGuard's performance unnecessarily, so a set of standard network capture filters is provided to keep the capture engine from processing it.
iGuard/inSight User Guide This filter excludes Server Message Block/NETBIOS traffic. Ignore SSH Traffic This filter excludes secure shell traffic. Ignore POP3 Traffic This filter excludes Post Office Protocol traffic. Ignore IMAP Traffic This filter excludes Internet Message Access Protocol traffic. Ignore HTTPS Traffic This filter excludes secure HTTP traffic. Ignore LDAP Traffic This filter excludes Lightweight Directory Access Protocol traffic.
Reconnex Corporation 8. Define the protocol. In this example, you are eliminating video file types that are being transmitted via the Web. 7. Add any other qualifications, like size of the files, date and time transmitted, and source and destination of the traffic. 8. Select Save. 9. Verify that your new filter appears in the Filters List. The list is launched after you save. 10. Activate the new filter. 144 Release 7.0.0.
iGuard/inSight User Guide Create a Network Capture Filter Designing a network capture filter requires experimentation, but taking the time to streamline the capture process can save iGuard a lot of processing time. If you create a network capture filter, your capture filter actions are limited to storing or ignoring entire sessions. Best practice: Before creating a network capture filter, select the All Element in the Network Filter dialog box.
Reconnex Corporation 8. Save. The list of filters will be launched. 9. Verify that the new filter has been added to the list. 146 Release 7.0.0.
iGuard/inSight User Guide 10. Reprioritize the order in which the filters will run. Remember, the Base filter must be listed last. 11. Test the filter and modify if necessary. Reprioritize Capture Filters When you create a new network capture filter, it is added to the Network Filters list. However, when you put the filters to work on an iGuard, you must carefully consider the position of any new filter.
Reconnex Corporation Filters that define larger amounts of traffic should be placed at or near the top of the list. For example, if you added a filter to ignore all traffic to and from ports 80 and 453, you would be ignoring all HTTP and HTTPS traffic. In such a case, you would not need individual filters like Ignore HTTP Responses or Ignore HTTP Requests. 1. Add a new network capture filter - in this case, a port filter. 2. Use the UP arrow in the Priority column to move it up to the correct position.
iGuard/inSight User Guide 3. Select the filter you want to activate. 4. Verify that the filter has been added to the bottom of the list of active filters. 5. If it is a network filter, reprioritize to run it in the correct order. Deploy Capture Filters If you are on a standalone iGuard, when you create a capture filter you can either deploy the filters on your own machine, or check "None" to indicate that you want to deploy it later.
Reconnex Corporation Modify a Capture Filter To modify a capture filter, just click on its name and edit its properties. Note: Default system filters cannot be modified, but they can be saved under another name and edited to create a new filter. If you try this, you will be prompted to do so. Delete a Capture Filter If you are on a standalone iGuard, when you delete a capture filter you are removing it from your own machine.
iGuard/inSight User Guide Conversely, transport of large-sized files may indicate inappropriate usage of network resources. Users may be routinely sending large video files that are unrelated to their job functions. These can be recognized by content type as well as file size. Release 7.0.0.
Reconnex Corporation To identify such a problem, it would only be necessary to store the metadata indicating that large files are being transported. If the content of those files became an issue, a rule or template could be created to find them. Add an IP Address Network Capture Filter You can create a network capture filter for individual IP addresses, a subnet, or a range of addresses. Suppose you want iGuard to monitor outgoing email, but to ignore all incoming email.
iGuard/inSight User Guide 8. Verify that the new filter is listed in the window that is launched. CIDR Classless Inter-Domain Routing notation improves the efficiency of the IPv4 addressing scheme by allowing routers to interpret addresses as if they were classful. You can use it by entering the IP address followed by its subnet mask. [IPv6 is not yet supported.
Reconnex Corporation 3. Indicate the device on which you want the filter deployed. If you want to decide later, you can check None. 4. Select the capture action you want the filter to perform. 5. Select the Port Element and Condition under Protocol. Note: When you define a port or a port range, the system will return either a source or destination port, but not both.
iGuard/inSight User Guide 10. Save. 11. Verify that the new filters are listed in the window that is launched. 12. Reprioritize the filters, if necessary. Release 7.0.0.
Reconnex Corporation Advanced Utilities You can run Linux, SQL or RFS Reconnex File Systemcommands in real time by going to System > System Administration > Advanced > Utilities. You can get the same information from the System Monitor > Advanced > More link. Tip: This information is neatly summarized under the Details link at System > System Monitor. Important: You can reboot the system from the links at the bottom of the Utilities page.
iGuard/inSight User Guide Statistic Description Life Seconds since the flow was created Stale Seconds since the last packet in the flow arrived Managing Memory Network congestion is handled by buffering. Reconnex iGuard continually processes data in memory and stores each packet as it arrives at its destination. Examining the Flow Profile Reports can help you to get a detailed picture of traffic on your network.
Reconnex Corporation 2. Click on the name of a log to launch it. 3. Copy and paste the contents of a log into a text editor and save it, or paste it directly into an email message. Note: Logs are especially useful for technical support. To facilitate problem resolution, you may want to generate a group of standard logs before you even contact technical support. 158 Release 7.0.0.
iGuard/inSight User Guide Managing Disk Space The Reconnex File System (RFS) divides the iGuard disk (depending on your machine's configuration, you may have between 500 GB and 3 TB) into Capture and Non-Capture partitions. You can find out how much disk space remains on iGuard partitions by going to System > System Monitor > More or System Administration > Advanced. In the Application section, click on Show rfs_df (Reconnex File System - disk free).
Reconnex Corporation WARNING: Changing a wiping policy can have unpredictable results. Before doing this, consult Reconnex Technical Support. If none of these policies suit your purposes, or you have special needs like saving data for court cases, you will need a custom wiping policy. Custom Wiping Policies Three standard wiping policies fit the needs of most organizations, but a custom wiping policy can accommodate a wide variety of specialized operations.
iGuard/inSight User Guide 4. On your Active Directory Server desktop, go to Start > Administrative Tools > Active Directory Users and Computers. This launches the Active Directory Users and Computers window. 5. Right-click on the domain name, reconnex.net, in the navigation bar. 6. Go to Properties > Group Policy > Default Domain Policy and select Edit. 7. Under User Configuration, click on Windows Settings > Scripts > Logon. 8. On the Scripts tab click Show Files. 9. Drag the rwl_client.
Reconnex Corporation 3. Add the server name or IP address. 4. Add the server port number. 5. Add the timeout interval in seconds. 6. Add the retry interval in seconds. 7. Add loginID attribute: sAMAccountname (Security Accounts Manager account). 8. Add the login domain name. 9. Add the server password. 10. Add the Base Domain Name (dc=reconnex,dc=net). 11. Check the SSL box if appropriate. 12. Select a Scope radio button. 13. Select Update. 14.
iGuard/inSight User Guide 15. To edit the settings, select Detail. The Server Information dialog box will launch. It shows that the LDAP server is now active; the Action box shows that the connection to the server can be deactivated by selecting Delete. Add LDAP Users The quickest way to add multiple users is to add an LDAP server and import existing user accounts. Before you add LDAP users, you should have already decided on a user group design.
Reconnex Corporation You may want to narrow that query by using metacharacters combined with text. This will retrieve all the users on the server related to the name you specify. Users with names like the one you specify will be returned by the system. 3. 164 Select radio buttons next to the users you want to add. Release 7.0.0.
iGuard/inSight User Guide 4. Select one or more groups for the new user(s) and Add. Note: User permissions are assigned by membership in a user group. When a user's permissions have been changed by addition or subtraction of membership in a group, he or she has to re-login for the change to register in the login. This is true for both new LDAP or local users. 5. Update. 6. Verify that the user is added to the list that is launched. The list shows that the LDAP user is now active. 7.
Reconnex Corporation Managing Devices The inSight Console controls all other Reconnex devices on your network. This includes iGuards capturing data in motion as well as any other systems that may be finding data at rest or interacting with mail servers. After installing new appliances, they must be added to the inSight Console. Add a Device Before inSight can control other Reconnex devices on the network, a connection must be established. This is done by adding the device from the inSight Console.
iGuard/inSight User Guide Note: It takes a few minutes to register the device. The Registration icon 7. shows that registration is in progress. Before registration begins, a message is launched stating that all rules, policies, DHCP servers and IP aliases will be deleted from iGuard before it is registered. Confirm that you want to proceed, or cancel the process. 8. When registration is complete, the Status icon will change to green and the other columns will display data. 9.
Reconnex Corporation The Utilities page will be launched. 3. Scroll down to the bottom of the page. 5. Select De-register iGuard. 6. Confirm or cancel de-registration. 7. Confirm that the de-registered iGuard has been removed from the device list. 168 Release 7.0.0.
iGuard/inSight User Guide Contact Technical Support For troubleshooting assistance, you can contact Reconnex Technical Support by telephone or email. Phone: (866) 940-4580 or (650) 940-1430 Email: support@reconnex.net Customer Support Portal: www.reconnex.net/support/support_portal.php http://www.reconnex.net/portal Create a Technical Support Package If you need help from Reconnex Technical Support, the fastest way to get a problem resolved is to download and send a technical support package.
Reconnex Corporation Power Redundancy To ensure redundancy on the 1650 and 3650 appliances, both power supplies must be active to share the load while operating at nominal power. Additional protection is provided if more than one wall outlet is used. Should one power supply fail, a back-up fan automatically turns on, an alarm sounds and a warning LED is illuminated. If this occurs, contact Reconnex Technical Support for a replacement unit.
iGuard/inSight User Guide Mechanical Loading Mounting of the equipment in the rack should be such that a hazardous condition is not created due to uneven mechanical loading. Circuit Overloading Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.
User Guide for inSight/iGuard Index download, 52 A export, 52 from incident list, 49 Account Information, 126 Action Rules create, 99 managing, 49 Compliance FCC, 167 define, 99 Concepts, 103 delete, 102 Anchor Command, 108 modify, 101 create, 106 Active Directory, 157 standard, 103 Alerts, 118 syntax, 109 Filter, 118 Configuration Listings, 117 Network, 135 Notification, 119 D C Device Management, 163 Capture Filters, 137 Add, 163 actions, 137 Delete/de-register, 164 activate, 145 V
Reconnex Corporation I Default, 86 Delete, 89 iGuard Edit, 89, 90, 91 Architecture, 3 Publish, 90 features, 1 Reconnex Solution, 1 Incidents customize report, 26 Regulatory, 86 Standard, 86 Unpublish, 91 View Rules, 89 delete, 33 Details, 28 R examples, 31 finding, 25 Reports Sort, 31 Delete, 49 Installation Safety Compliance, 167 Examples, 42 Export CSV, 43 Export PDF, 44 L LDAP Service, 158 Add or Edit, 158 My Reports, 41 Notify, 47 Save, 40 Schedule, 42 add users, 160 add users | Defaul
User Guide for inSight/iGuard U by user ID, 79 Command Line, 57 compound queries, 67 country codes, 60 distributed, 67 User Account Add User, 125 Create User Group, 122 Group Design, 121 filters, 57 User Audit Logs, 128 fleshtone images, 80 images, 79 Actions, 128 Edit, 133 keyword shorthand, 84 limitations, 81 Using, 134 User Groups logical operators, 85 Search List, 83 Administrator, 120 Permissions, 123 using custom templates, 83 using standard templates, 83 Setup Wizard, 136 System Administra