Why can’t I see the internal IP addresses, computer names or user names that are being blocked?
The IntelliShun appliance blocks known malicious IP addresses, counting the number of shunned connections in each direction. It also gathers statistical data so we can generate reports and graphs in your RiskTool portal while helping us to better protect your network. Shunning happens at the bridge interface, which is usually outside the firewall. Even if it could report on individual IP addresses, it only sees the egress IP address from outbound connections, not internal IP addresses.
The new RA Force portal will show you the top 10 shunned IP addresses for a given time range and category. You may be able to correlate that list of external IP addresses to activity originating from specific users or internal workstations by using logs from other technology such as DNS servers, web proxies, or firewalls.
Does RiskAnalytics have any tools that can identify problems on internal systems?
Our ThreatSweep product combines the same high-performance gigabit shun bridge outside the firewall, with a full-featured IDS built into the same chassis. ThreatSweep doesn't exactly show you where the outbound connections are coming from on the blocked attacks/traffic reports, but it certainly provides better visibility into your network and another layer of protection over the IntelliShun device.
ThreatSweep uses sniffing ports to watch what's happening on your internal network. ThreatSweep integrates into your RiskTool portal to give you HotAlerts™ via email or SMS. HotAlerts are triggered when an event is detected that should be promptly handled by your IT staff, such as a BotNet or malware infection. Additionally, the IDS identifies external attackers that are coming from previously un-known networks, and instantly adds them to the ShunList. There are also additional reports that come with ThreatSweep.