DESCRIPTION OF MONITORED AND MANAGED FIREWALL AND IDS SECURITY SERVICES

HIGHLIGHTS

CNI BASIC MONITORED FIREWALL AND NETWORK BASED IDS (NIDS) SERVICES: CNI offers security monitoring per device, as follows:

  1. Standard Features:
    1. Semi-Annual Internet perimeter penetration tests performed against up to 10 hosts, network appliances or firewalls located at the customers monitored facility. All testing will be performed offsite.
    2. This monitoring service is available for customers with T1 or less access to the Internet.
    3. Network based IDS monitoring and security support available 24x7x365 as described in Section “c” below.
    4. 4.5 GB of online log data storage, based on an average daily Throughput Capacity of 50 MB of log data per day, measured over a Ninety (90) day period.
  2. Security Monitoring: CNI shall use reasonable commercial efforts to perform the following:
    1. Scan critical, security relevant firewall log data for known attack profiles
    2. Scan critical, security relevant IDS alert data for known attack profiles
    3. Provide analysis of Critical and Emergency security events on a 24x7x365 basis
    4. Correlate security data from other security devices of Client monitored by CNI
    5. Provide notification of Critical security events within 15 minutes.
    6. Provide second tier analysis support to designated POCs on commented Critical and Emergency events
  3. Reporting: CNI shall provide Client with monthly (some also available weekly) reports that include:
    1. Summary of trouble tickets
    2. Internet Router T1 performance data and availability (if client manages their Internet router or if the ISP will allow SNMP management of their router).
    3. Details of Critical and Emergency level malicious activity directed at the Client site
    4. Analysis and interpretation of Critical and Emergency security events
    5. Attack type totals by source and destination IP addresses (also available in weekly summary)
    6. Attack level totals by source and destination IP addresses (also available in weekly summary)
    7. Attack source totals by IP address (also available in weekly summary)
    8. Attack destinations by IP address (also available in weekly summary)
    9. Suspect Firewall SYSLOG Log pattern analysis.
    10. Accepted and denied requests broken down by source and destination IP / PORT pairs
    11. TCP/IP Protocol reports broken down by source and destination IP address.
    12. Real Time reporting for: Firewall SYSLOG data:
      1. Accepted and denied requests broken down by source and destination IP / PORT pairs
      2. Protocol reports broken down by source and destination IP address.

 

CNI BASIC MONITORED & MANAGED FIREWALL AND NETWORK BASED IDS (NIDS) SERVICES: CNI offers the following service packages per device, as follows:

  1. Standard Features:
    1. Semi-annual Internet perimeter penetration tests performed against up to 10 hosts, network appliances or firewalls located at the customers monitored facility. All testing will be performed offsite.
    2. This monitoring and management service is available for customers with T1 or less access to the Internet.
    3. Premium Network based IDS monitoring and security support available 24x7x365 as described in Section “c” below
    4. Does NOT include VPN configurations for Client or site to site VPN configurations. These require the client to use a dedicated VPN Concentrator or some other device than the Managed Firewall discussed in this document.
    5. 4.5 GB of online log data storage, based on an average daily Throughput Capacity of 50 MB of log data per day, measured over a Ninety (90) day period.
    6. Configuration management and security support will be available 24x7x365.
    7. Notification to POC within 15 minutes of SOC declaring a Critical event based on Firewall and IDS alarms.
    8. Firewall updates recommended by Vendor due to Security Advisories and bi-monthly (if available) IDS Signature file updates will be completed.
    9. Remedial actions to defend against a Critical event will be taken within 4 hours of the Critical event notification. Corrective firewall changes recommended by SOC will be considered a security risk and will not be completed without the approval of the primary or secondary customer contact.
    10. The customer may request up to 10 emergency changes per year.
    11. Customer requests for Firewall rule changes will be completed on a best effort basis but no later than the end of the next business day. There will be allowance for up to 25 policy changes per year. SOC will be flexible and make changes immediately if possible.
    12. There will be an allowance for up to16 hours of onsite time at the customer’s facility, per year, by a Sr. Security Engineer from the SOC. This time will be scheduled and used at the SOC’s discretion. The SOC will use this time, if required, at the customer site, to support the routine Maintenance of the managed IDS and Firewalls or to react to critical events that the SOC deems an onsite engineer is needed to assist in the troubleshooting of the incident. Any onsite visit required for any reason after normal working hours (8 AM – 5 PM EDT, holidays or weekends) will consume these hours at the rate of 150% the normal working hours (4 hours actual will equal 6 hours consumed). There will be a 4-hour onsite minimum for any onsite visit. Hours exceeding these 16 onsite hours will be considered additional hours outside the terms of this contract and billable to the client at the prevailing SOC hourly rate.
    13. There will also be an allowance for 2 days of onsite time at the customer’s facility, per year, be a Sr. Security Engineer from the SOC to discuss security technology planning, design or implementation. This time will be scheduled at a mutually convenient time for the customer and the SOC. The engineer will be available for additional consulting at the prevailing SOC hourly rate.
    14. Firewall (Cisco, Checkpoint and Netscreen only) SYSLOG data will be stored for 3 months and will be available for reporting to the customer through Internet Explorer browser in a read only mode real time.
  2. Security Monitoring: CNI shall use reasonable commercial efforts to perform the following:
    1. Scan critical, security relevant firewall log data for known attack profiles
    2. Scan critical, security relevant IDS alert data for known attack profiles
    3. Provide analysis of Critical and Emergency security events on a 24x7x365 basis
    4. Correlate security data from other security devices of Client monitored by CNI
    5. Provide notification of Critical security events within 15 minutes.
    6. Provide second tier analysis support to designated POCs on commented Critical and Emergency events
  3. Reporting. CNI shall provide the Client with monthly (some also available weekly) reports that include:
    1. Summary of configuration and trouble tickets
    2. Internet Router T1 performance data and availability
    3. Details of Critical and Emergency level malicious activity directed at the Client site
    4. Analysis and interpretation of Critical and Emergency security events
    5. Attack type totals by source and destination IP addresses (also available in weekly summary)
    6. Attack level totals by source and destination IP addresses (also available in weekly summary)
    7. Attack source totals by IP address (also available in weekly summary)
    8. Attack destinations by IP address (also available in weekly summary)
    9. Suspect Firewall SYSLOG Log pattern analysis.
    10. Accepted and denied requests broken down by source and destination IP / PORT pairs
    11. TCP/IP Protocol reports broken down by source and destination IP address.
    12. Real Time reporting for: Firewall SYSLOG data:
      1. Accepted and denied requests broken down by source and destination IP / PORT pairs
      2. Protocol reports broken down by source and destination IP address.

CNI INTRUSION DETECTION SERVICES – HOST BASED IDS
CNI BASIC MONITORED HOST-BASED IDS (HIDS) SERVICES: CNI offers security monitoring per device, as follows:

  1. Standard Features:
    1. 1. Standard host-based IDS monitoring and security support available 24x7x365 as described in section “c” below
    2. 2. 1 GB of online log data storage, based on an average daily Throughput Capacity of 11 MB of log data per day, measured over a thirty (30) day period
  2. Security Monitoring: CNI shall use reasonable commercial efforts to perform the following:
    1. 1. Scan critical, security relevant IDS alert data for known attack profiles
    2. 2. Provide analysis of Critical and Emergency security events on a 24x7x365 basis
    3. 3. Correlate security data from other security devices of Client monitored by CNI
    4. 4. Provide notification of Critical security events within 15 minutes.
    5. 5. Provide second tier analysis support to designated POCs on commented Critical and Emergency events
  3. Reporting: CNI provides Clients with monthly reports that include:
    1. 1. Status of changes, upgrades, patches and other related system maintenance to the IDS management console
    2. 2. Details of malicious activity directed at Client‘s site
    3. 3. Analysis and interpretation of critical events

CNI OPTIONAL SERVICES for an additional fee (requires the Basic Managed and Monitored Firewall and IDS Service)

  1. Manage and monitor the Internet Routers and any perimeter network devices (routers and switches). Complete OS upgrades as recommended by hardware manufacturer, to address any security vulnerabilities. Customer must purchase Vendor’s highest level of hardware and software support available.
  2. Provide a 2-year SYSLOG archiving service for all managed Firewalls, IDS, Internet router or Switch. Customer may access SYSLOG data real time for the entire 2-year period.

 

 

CNI Corporate Networking Inc.          In Partnership with Nortel Networks

2960 Skippack Pike • Worcester, PA 19490 • (610) 584-8040 Office