Summary
Activeworx Security Center 3.5


Pros: Good monitoring of syslog and Windows event log events; good variety of reports and graphs; very flexible and powerful for the price; rule-triggered event monitoring
Cons: Setup and management can be tedious; UI is occasionally confusing
Rating: 4 out of 5 stars
Price: Begins at $2495 per site
Recommendation: Recommended for medium-sized businesses that need to monitor a large number of network devices, particularly if compliance reporting is required.
Contact: CrossTec Corporation * 800-675-0729 * http://www.crossteccorp.com

Small-to-midsized businesses (SMBs) are rarely small when it comes to the number of network systems they require to keep the business running. Workstations, servers, firewalls, routers, and an ever-growing array of other network products are necessary, and someone has to monitor them all. Because of varying management protocols and log formats, keeping track of all these devices is no small task, especially for maxed-out IT staff. CrossTec Corporation's Activeworx Security Center 3.5 helps lighten the load by monitoring security-related events for a wide array of devices from a single console.

Activeworx Security Center (ASC) has a steep learning curve for administrators new to SNMP, syslog, Windows Management Instrumentation (WMI), Snort, and the other monitoring methods and protocols the product targets. Installation is fairly straightforward, but the UI is a little confusing, and you need to perform a lot of post-installation configuration on monitored devices to collect syslog and SNMP data. ASC collects WMI data from Windows systems without requiring the installation of client components, which is a benefit. SNMP, syslog, WMI, and other device-management protocols can be used for a wide array of management and monitoring tasks. However, ASC's focus is on monitoring security-related events for these devices, rather than on general network management such as HP's OpenView or IBM's Tivoli products perform.

With ASC, I configured monitored syslog facilities on a handful of Linux systems, SNMP data on a Cisco Ethernet switch, and WMI events on Windows XP and Windows Server 2003 systems. Security Center collectors gather events and store them together in the Event Framework database to allow comprehensive event reporting from these disparate systems.

An illustrated Quick Start guide and an Evaluator's Guide are included with the software. Although it's a good starting point, the Quick Start guide includes instructions only for using MySQL as the application database. Microsoft SQL Server is supported but not documented. The Evaluator's Guide helps users learn how to configure ASC components such as the collectors, which gather event information, and the databases, which store collected event information. As with the Quick Start guide, the Evaluator's Guide helps with the basics of the software but doesn't cover advanced topics thoroughly. In most cases, I found it easier either to dive into the ASC desktop application to learn how to do something through trial and error or to use the more complete online Help that's included with the ASC desktop application.

You manage ASC through the desktop application. Security for the desktop application is controlled by the database you configured during setup. If you use Active Directory (AD), logins and permissions will integrate with AD only if you configure SQL Server with Windows authentication as the database server. The desktop application itself is well laid out. The customizable dashboard, which Figure 1 shows, gives a graphical overview of the ASC configuration, including which devices are defined and where they send logging information.

Devices, device groups, and rules for event handling are managed in the Resources section of the desktop. There is no autodiscovery for devices; each device, called an Asset, must be created manually, as must device groups and rules. You can create, manage, and schedule tasks such as automatically generating reports or gathering event data from devices at timed intervals in the Task Manager and Task Scheduler sections of the desktop application. The desktop interface is quirky occasionally; I was able to select table columns in a few places where only table rows should have been selectable, but I quickly learned my way around.

The Report Center in the desktop application has more than 200 preconfigured reports that target the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley (SOX) Act, the Gramm-Leach-Bliley (GLB) Act, and other compliance regulations. A new feature in version 3.5 is the ability to use Crosstec's proprietary report generator rather than Crystal Reports, which provided the foundation for reporting in previous versions of ASC.

You can create rules for event handling and alerting in the desktop application. A drag-and-drop interface helps you design the rules, and some basic knowledge of flowcharting will go a long way toward helping you successfully create rules to handle events. For example, you can design a rule that will cause an alert that Snort raises to trigger ASC to gather security information about critical servers to help you determine whether an intruder is attacking a specific server.

Support for ASC is available through CrossTec's Web site or by phone. I found that I didn't need technical support for the application but greatly benefited by refreshing my memory on the workings of syslog and SNMP, in particular. ASC fills a unique niche for those organizations that need more robust security monitoring than less expensive basic server monitoring packages afford, yet don't need the complexity or expense of a full-featured enterprise network management suite such OpenView or Tivoli. ASC is a solid, robust product that will quickly earn its keep for IT departments who have in-house knowledge of network management protocols or can invest in the training necessary to master them.