11 security control center, Security control center – H3C Technologies H3C Intelligent Management Center User Manual
Page 942

928
11 Security control center
The Security Control Center provides you with proactive security monitoring and management, including
real time threat monitoring, detection, and analysis and the ability to define security policies enabling
operators to take manual or automated actions when a security attack occurs. You can manage security
attacks from a choice of two displays, where you can also access attack reports, including their source,
destinations, and the results of actions taken to address the attacks.
IMC can detect and take proactive action on many types of security attacks, including IP Spoofing,
WinNuke, SYN Flood, ICMP Flood, UDP Flood, IP Sweep, TCP Port Scan, UDP Port Scan, IPS Worm, IPS
Scan, Tracert, Large ICMP, Smurf, ICMP Redirect, ICMP Unreachable, Fraggle, Source Route, Route
Record, Land, Teardrop, TCP Flag, Ping of Death, Frag Flood, IP Fragment, Scan, ARP Overspeed, DHCP
Server Detect, and Duplicate ARP Address.
IMC monitors many of these security threats in real time by receiving and processing Syslog events and
SNMP traps sent by devices. Syslog messages are analyzed by IMC Syslog CSU module, which are then
processed and displayed by both IMC Fault module and SCC. The Syslog messages that IMC alarms on
include Duplicate Addresses, ARP Overspeed, DHCP Server Detect, and IMC attack event. IMC also
processes SNMP traps sent by managed devices when the devices 1) support these trap types; 2) are
configured to send traps to IMC and 3) when IMC is configured to receive traps from the device. The
SNMP traps that SCC currently supports include Duplicate Address/ARP Overspeed/DHCP Server
Detect (1.3.6.1.4.1.2011.10.4.2.8.2.6.22), IMC Alarm (1.3.6.1.4.1.2011.10.4.2.8.2.6.9) for SYSLOG
component, and SecCenter (1.3.6.1.4.1.25506.2.77.6.0 and 1.3.6.1.4.1.8763.6.0). In addition to the
tabular view on security attack alarms, SCC also provides you with a visual display of attacks through the
attack path topology map.
Once IMC has received a Syslog message or SNMP trap and generated an alarm for it, SCC displays
the alarm in the Attack Alarm List. Alternatively, you can use the Realtime Attack Alarm List for viewing
the most recent attack alarms, allowing you to respond to attack alarms by initiating actions. Actions that
can be taken vary by attack type but in general there are six supported actions: 1) shutdown the access
port; 2) alert the administrator by email; 3) isolate the online user to a restricted network; 4) send a
warning message to the online user; 5) kick the online user off; and 6) add the online user to the blacklist.
Through the use of security control policies, you can proactively manage their response to security threats
and attacks. Security control policies allow you to define what actions to be taken in response to attack
alarms. A security control policy combines the identification and alarming of a security attack with an
action that can be taken in response to the security attack. The actions configured for security control
policies can be executed manually or they can be configured to run automatically upon detection of the
security attack.
SCC enables you to filter alarms with matching policies. Then actions defined in a security control policy
can be taken only for the matching alarms. SCC predefines alarm matching policies and also supports
user-defined alarm matching policies.
Lastly, SCC provides operators with summarized reporting of security attacks in the last hour. Summary
reports include the Top 10 Attack Alarms Report, the Top 10 Attack Sources Report, the Top 10 Attack
Destinations Report and the Execution Results Report.