Datasheet
INTC-7816-01 02/2008 Page 10 of 18
The Virtual-SOC allows Customers to view and report on these alerts, and provides a full-featured
ticketing system for handling and escalating Security Incidents internally.
Full Monitoring (Optional)
Policies watch for critical events, as well as medium- and low-priority malicious activity, suspicious
activity, and network misuse. The Customer may request policy changes to enable additional detection
or prevention capabilities, modify response actions, and fine tune the type of information received by the
Intrusion Prevention module.
If the deployed Agent is capable of handling multiple policy support, and barring any technical or
environmental limitations, the Customer may deploy the Agent in a configuration which allows for a
maximum of one policy per port pair when the Agent is deployed in an inline configuration. Additional
policies beyond these stated maximums may result in additional recurring monthly service fees.
IBM will monitor all security events generated by the Agent, validate the events and, if necessary, create
a Security Incident ticket 24 hours/day by 7 days/week.
Monitoring Options
Feature Reporting Only Full Monitoring
24 x 7 security event monitoring Automated monitoring via
intelligent systems
Automated monitoring with real-time 24 x
7 human analyses
Security Incident escalations Via e-mail following identification
and validation
Via telephone and/or e-mail, based on
event priority
IDS/IPS policy configuration High priority malicious activity High, medium, and low-priority activity
(including suspicious activity and network
misuse)
2.3.2 Firewall
The terms and conditions set forth in this section entitled “Firewall” will apply only to Customers who have
contracted for the MSS for UTM Protection package.
The firewall module is designed to prevent unwanted and malicious traffic from entering or leaving the
enforcement point. The service identifies and blocks access to certain applications and data attempting
to enter the Customer’s network, using stateful inspection (also called “dynamic packet filtering”).
Security Policy
During the initial setup and deployment process, IBM will work with the Customer to create a policy that is
customized to the organization’s specific needs. Firewall module policies will support the creation of
standard rules (e.g., source, destination, service, and action), object and protocol groupings, and
network/port address translation configurations.
A single firewall policy/configuration change is defined as any authorized request for the addition or
modification of one rule with five or fewer network or IP objects in a single request. Any change request
requiring the addition of six or more network or IP objects or the manipulation of two or more rules will be
counted as two or more requests. If the request applies to changes outside of the rule-based firewall
policy, each submitted request will be considered a single change, within reasonable limits.
Authentication Accounts
Specific firewall functionality often allows for the authentication of user accounts to enable access through
application proxies or for usage of specific protocols. IBM will support the enablement of such
functionality; however, user account management is the responsibility of the authorized Customer
security contacts. To simplify such a process, Customers may wish to integrate a third party
authentication server with the firewall. Such server will be managed by the Customer and will simplify the
process of account management by expanding available options for user administration. IBM issues
surrounding authentication of protocols and application proxies also extend to client and SSL VPN
capabilities.
Notifications and Alerts