How do we monitor our networks?
We use a range of systems to monitor our internal office networks and our data centre networks. Firstly, we use enterprise grade firewalls to protect our networks and check the information that flows in and out. This is our greatest protector blocks all but the essential traffic from accessing our systems. Currently, we only have 3 ports open on our network, which are 80, 443 and 8000. Port 80 is only open to allow traffic to flow in and then be transferred to 443 for the remainder or the communication. Port 8000 is only used by one of our legacy systems and is also encrypted. This will be deprecated in the near future to aid connectivity for some of our customers.
Inside our networks, we run a system called Pulseway. This product enables us to monitor, be notified and interact with our systems remotely. It gives us great flexibility in dealing with issues quickly and efficiently and also alerts us when someone logs onto our systems. We also get notifications of updates that are available on our servers and the ability to install these remotely. It is a key tool that is world class in its ability to help technicians maintain their systems and be alerted to problems before they impact on service.
To help detect intruders and attackers, we use a system called Alienvault. This appliance sits on our networks and monitors the logs from all the machines and alerts us to any unusual activity. It is particularly sensitive and throws false positives which we investigate and rectify where possible. Alienvault also completes regular vulnerability scans of internal systems to check for known vulnerabilities including weak ciphers and out of date SSL certificates, and also if a server is running out of date softwares. It is crucial in allowing us to keep our systems secure and up to date. We can retrieve reports from Alienvault ad-hoc to help us understand better where our risks are.
For our main web servers, we use a system called Graylog to collect all of our event log data and aggregate it into easy to read tables and charts. It serves 2 purposes, one is from a performance view point in helping us understand peak time system usage and predicting how our system should grow in advance of system slow downs. It also lets us know how our systems are being probed externally by attackers scanning for weaknesses in our software and where these requests some from. Any IP addresses that are particularly heavy on scanning we block permanently. These mostly come from international locations. Where our software benefits from this type of scanning and attack is down to the fact it is custom built software and not built on an existing open source product. Systems like this have the disadvantage of having the code freely available which allows attackers to reverse engineer and discover vulnerabilities easily. There is also the chance that a heavily modified open source offering cannot be updated in the same way as the original as it will cause the system to become unstable or even unusable. In this instance, the system needs to be manually patched which can lead to delays and extended periods of time where a vulnerability is open to attack.
These are just some of the systems that we use to help us keep yours and our own data safe.