The Eagle is able to detect what you deem to be suspicious activity. What is suspicious for one site may be acceptable for another, so the rules must reflect your site's unique requirements. While some rules, such as never allow data to be transferred from a machine of high security to one of lower security are clear, others may not be. For instance, the fact that a particular rule is triggered once may mean nothing except a mistake by a user typing his/her password. If, however, a rule is triggered many times in a brief period, it may indicate that something suspicious is being attempted (or worse, is actually happening).
To define what you deem suspicious, you can specify a set of sliding time windows together with associated thresholds for connection attempts. The Eagle keeps track of which rules have been invoked either to permit or to deny connections during each window (the current time is always the end of each window). You specify how often during these windows it is acceptable for a rule to be active. For example, if your site has been averaging four or five connections from the mit.edu network per day, having six or seven in a given day is probably not a notable incident. However, if there have been ten or more in a single day, you may want to know about it. If there have been more than thirty, you will certainly want to be alerted, especially if it is in the middle of the night (hence the pager alert system in the Eagle). Each of these time windows and thresholds can be separately configured for each access rule.
The Eagle comes with default thresholds for all time windows. Over-riding these defaults is simply a matter of changing the authorization rule database.
Suspicious activity falls into several categories or severity levels. These are:
All suspicious activity is recorded in gwcontrol's log file.
You can be notified of suspicious activity by
audio alarm, electronic mail, pager, fax, or client program.
See Chapter for a full description of notification.
Figure illustrates how the Dynamic Activity Monitor
helps to protect your network.