11 security control center, Security control center – H3C Technologies H3C Intelligent Management Center User Manual

928

11 Security control center

The Security Control Center provides you with proactive security monitoring and management, including

real time threat monitoring, detection, and analysis and the ability to define security policies enabling

operators to take manual or automated actions when a security attack occurs. You can manage security
attacks from a choice of two displays, where you can also access attack reports, including their source,

destinations, and the results of actions taken to address the attacks.
IMC can detect and take proactive action on many types of security attacks, including IP Spoofing,

WinNuke, SYN Flood, ICMP Flood, UDP Flood, IP Sweep, TCP Port Scan, UDP Port Scan, IPS Worm, IPS

Scan, Tracert, Large ICMP, Smurf, ICMP Redirect, ICMP Unreachable, Fraggle, Source Route, Route
Record, Land, Teardrop, TCP Flag, Ping of Death, Frag Flood, IP Fragment, Scan, ARP Overspeed, DHCP

Server Detect, and Duplicate ARP Address.
IMC monitors many of these security threats in real time by receiving and processing Syslog events and

SNMP traps sent by devices. Syslog messages are analyzed by IMC Syslog CSU module, which are then
processed and displayed by both IMC Fault module and SCC. The Syslog messages that IMC alarms on

include Duplicate Addresses, ARP Overspeed, DHCP Server Detect, and IMC attack event. IMC also

processes SNMP traps sent by managed devices when the devices 1) support these trap types; 2) are

configured to send traps to IMC and 3) when IMC is configured to receive traps from the device. The
SNMP traps that SCC currently supports include Duplicate Address/ARP Overspeed/DHCP Server

Detect (1.3.6.1.4.1.2011.10.4.2.8.2.6.22), IMC Alarm (1.3.6.1.4.1.2011.10.4.2.8.2.6.9) for SYSLOG

component, and SecCenter (1.3.6.1.4.1.25506.2.77.6.0 and 1.3.6.1.4.1.8763.6.0). In addition to the

tabular view on security attack alarms, SCC also provides you with a visual display of attacks through the
attack path topology map.
Once IMC has received a Syslog message or SNMP trap and generated an alarm for it, SCC displays

the alarm in the Attack Alarm List. Alternatively, you can use the Realtime Attack Alarm List for viewing

the most recent attack alarms, allowing you to respond to attack alarms by initiating actions. Actions that
can be taken vary by attack type but in general there are six supported actions: 1) shutdown the access

port; 2) alert the administrator by email; 3) isolate the online user to a restricted network; 4) send a

warning message to the online user; 5) kick the online user off; and 6) add the online user to the blacklist.
Through the use of security control policies, you can proactively manage their response to security threats

and attacks. Security control policies allow you to define what actions to be taken in response to attack
alarms. A security control policy combines the identification and alarming of a security attack with an

action that can be taken in response to the security attack. The actions configured for security control

policies can be executed manually or they can be configured to run automatically upon detection of the

security attack.
SCC enables you to filter alarms with matching policies. Then actions defined in a security control policy

can be taken only for the matching alarms. SCC predefines alarm matching policies and also supports

user-defined alarm matching policies.
Lastly, SCC provides operators with summarized reporting of security attacks in the last hour. Summary
reports include the Top 10 Attack Alarms Report, the Top 10 Attack Sources Report, the Top 10 Attack

Destinations Report and the Execution Results Report.