JSA Risk Manager Feature Overview

Connections

Use the Connections feature to monitor the network connections of your local hosts. The connection graph provides a visual representation of the connections in your network. Use the time-series charts to access, navigate, and investigate connections from various views and perspectives. Run queries and reports on the network connections of your local hosts that are based on applications, ports, protocols, and websites that the local hosts can communicate with.

Configuration Monitor

Use the configuration monitor to review and compare device configurations, and to manage security policies and to monitor device modifications within your network. Device configurations might include switches, routers, firewalls, and IPS devices in your network. For each device, you can view device configuration history, interfaces, and rules.

You can also compare configurations within a device and across devices, which you can use to identify inconsistencies and configuration changes that introduce risk in your network.

Topology

The topology is a graphical representation that depicts the physical infrastructure and connectivity of your layer 3 network topology. The topology is drawn form configuration information that is imported from devices in your network by using configuration source management.

The graph is created from detailed configuration information that is obtained from network devices, such as firewalls, routers, switches, and intrusion prevention systems (IPS).

Use the interactive graph in the topology to view connections between devices. A topology path search can determine how your network devices are communicating and the network path that they use to communicate. Path searching allows JSA Risk Manager to display the path between a source and destination, along with the ports, protocols, and rules.

Policy Monitor

Use the policy monitor to define specific questions about risk in your network and then submit the question to JSA Risk Manager.

JSA Risk Manager evaluates the parameters that you define in your question and returns assets in your network to help you assess risk. The questions are based on a series of tests that can be combined and configured as required. JSA Risk Manager provides many predefined policy monitor questions, and you can create your own custom questions. Policy monitor questions can be created for the following situations:

• Communications that occur
• Possible communications based on the configuration of firewalls and routers
• Actual firewall rules (device tests)

The policy monitor uses data from configuration data, network activity data, network and security events, and vulnerability scan data to determine the appropriate response. JSA Risk Manager provides policy templates to help you determine risk across multiple regulatory mandates and information security best practices, such as PCI, HIPPA, and ISO 27001. You can update the templates to align with your corporate defined information security policies. When the response is complete, you can accept the response to the question and define how you want the system to respond to unaccepted results.

You can actively monitor an unlimited number of questions in policy monitor. When a question is monitored, JSA Risk Manager continuously evaluates the question for unapproved results. When unapproved results are discovered, JSA Risk Manager can be configured to send email notifications, display notifications, generate a syslog event or create an offense in JSA.

Policy Management

You use the JSA Risk Manager policy management pages to view details about policy compliance and policy risk changes for assets, policies, and policy checks.

The JSA Risk Manager policy management pages display data from the last run policy. You can filter the data by asset, by policy, or by policy check.

Simulation

Use simulations to create network simulations.

You can create a simulated attack on your topology based on a series of parameters that are configured in a similar manner to the policy monitor. You can create a simulated attack on your current network topology, or create a topology model.

Simulate an attack by using a topology model where you can make network changes without impacting a live network.

You can simulate how changes to network rules, ports, protocols, or allowed or denied connections can affect your network. Use the simulation feature to determine the risk impact of proposed changes to your network configuration before you implement these changes.

You can review the results when a simulation is complete.

JSA Risk Manager allows up to 10 simulations to be actively monitored. When a simulation is monitored, JSA Risk Manager continuously analyzes the topology for unapproved results. As unapproved results are discovered, JSA Risk Manager can send email, display notifications, generate a syslog event or create an offense in JSA.

Configuration Source Management

Configure Configuration Source Management to get device configuration information from the devices in your network, which give JSA Risk Manager the data it needs to manage risk in your network. You use the configuration information that is collected from your network devices to generate the topology for your network configuration.

Reports

Use the Reports tab to create specific reports, based on data available in JSA Risk Manager, such as connections, device rules, and device unused objects.

Unsupported features in JSA Risk Manager

It is important to be aware of the features that are not supported by JSA Risk Manager but are available in the JSA Console.

The following features are not supported by JSA Risk Manager:

• High availability (HA)
• Dynamic Routing for Border Gateway Protocol (BGP)
• Non-contiguous network masks
• Load-balanced routes