Halestar's network monitoring, dispatch and escalation architecture, HALO, provides a window into the operation of firewalls, routers, switches and servers. HALO gathers event notifications from disparate devices, performs shallow event correlation and maintains records of call dispatch and acknowledgement.? The architecture is built upon simple, proven components with low cost of deployment, with almost a decade of monitoring experience for portions of the Fortune 500.

HALO Features

HALO combines several subcomponents built upon resilient transport architecture to provide:

• Server/service monitoring
• SNMP trap collection
• SNMP MIB harvesting for a variety of devices
• Dead banding, Alerting, Escalation, Acknowledgement via email, pager or telephony
• Record keeping
• Customer web access

HALO Deployment

HALO is an offsite monitoring service. To enroll, a customer provides Halestar systems access to be able to ping, to make IP connections, to pull MIBs and to receive traps. The more capable the customer devices, the more correlated and rich the HALO event notifications will be.

Customers provide Halestar with an escalation tree. The contacts, passwords and event notification selections can be customized at any time. For highest severity events, Halestar engineers become involved.

HALO Functional Components

The Halestar HALO SOC architecture gathers connectivity, service and trap information using an industry standard monitoring tool. A second tool grabs MIBs from appropriate devices. Both tools feed a tracking engine. The tracking engine prioritizes, dispatches, escalates and takes acknowledgements for alerts.

The tracking engine performs time-domain analysis on alerts to recognize attack situations. It further gathers whatever IDS-class information is available from the systems under monitoring to create a higher quality picture. Security events and up/down events are tracked through resolution.

A database keeps a running history of alerts and acknowledgements. User preferences, historical information and present alert conditions are available via a web interface.