Firewall Log Review and Analysis

Firewall Log Review and Analysis After the decision has been made to log events from your firewall, the next step is determining what you should be looking for in the logs and how you should properly perform log analysis
Nội dung trích xuất từ tài liệu:
Firewall Log Review and AnalysisFirewall Log Review and AnalysisAfter the decision has been made to log events from your firewall, the next step isdetermining what you should be looking for in the logs and how you should properlyperform log analysis. The most important thing to remember is that firewall logs arevirtually worthless if no one ever looks at the logs. Logging is merely a means to an end,namely knowing what is going on with your firewalls so that you can respondaccordingly. Review of the logs should not be reserved for only when an incident hasoccurred. It should be a part of the weekly, if not daily, tasks that the firewalladministrators perform. To help reduce the time and effort required to review the logs,many of the enterprise security incident management products provide tools and utilitiesthat assist the firewall administrator in separating the wheat from the chaff, allowing thefirewall administrator to spend less time reviewing the logs, while still providing theinformation necessary to help identify situations before they become a problem.Another aspect of reviewing the logs that should not be overlooked is the need to define alog archive and normalization policy. Too many organizations do not store their firewalllogs long enough to adhere to regulations (some of which such as Sarbanes-Oxley aregenerally accepted to require seven years of log data to be stored). This creates situationswhere data from the logs may be necessary, but the logs themselves have been destroyed.In conjunction with this, it is important to normalize your log data. Normalization justmeans converting your logs into a standard format that allows for easier review andcorrelation of data from different data sources (such as different firewall vendors).What to Look for in Firewall LogsAfter you have collected the firewall logs and begun the process of analyzing the logs,determine the data that you should be looking for in the logs. With that said, it isimportant to remember not to fall into the trap of looking in your firewall logs only forbad events. Yes, firewall logs can be the key element in discovering security incidentsand compromises, but that is only one of the reasons for analyzing your logs. You alsowant to be able to use the log information to assist in defining the baselines and normaloperations of the firewall. After all, one of the easiest ways to know whether behaviorthat has been logged is malicious is to know what the good things are and then note theexceptions.The simple fact of the matter is that certain events should always raise suspicion whenthey are detected. Ten of the most common events that warrant further investigation areas follows: • Authentication allowed. • Traffic dropped (not addressed to the firewall). • Firewall stop/start/restart. • Firewall configuration changed. • Interface up/down status changed. • Administrator access granted. • Connection was torn down. • Authentication failed. • Traffic dropped (addressed to the firewall). • Administrator session ended.The following sections explain these events in more detail.Authentication AllowedAlthough it may seem rather innocuous at first glance, it is important to look forauthentication-allowed events because they can identify situations where access wasgranted by the firewall when it should not have been allowed. The reasons can rangefrom legitimate administrators logging on when they should not have to malicious userslogging on after compromising the account and password that they are using.In addition, if your firewall is configured to authenticate user access, this event can beused to identify users who have been authenticated for whatever function they areattempting to perform.Traffic Dropped (Not Addressed to the Firewall)Most firewalls will have some resources that they are protecting. Traffic addressed tothese servers will typically be processed by the firewall and filtered accordingly.Although traffic-dropped messages can indicate that someone is attempting to access aprotected resource in a manner other than what the firewall administrator has defined, acommon cause of this event is a simple misconfiguration of the ruleset. Therefore, ifusers cannot access protected resources, it is important to review the logs to determinewhether the firewall is dropping the traffic, thereby pointing you in the direction of whatmay need to be fixed to provide access to the resources requested.Firewall Stop/Start/RestartThe firewall should never stop, start, or restart without the firewall administrator knowingin advance that the situation is going to occur. This event can be caused by non-firewall-specific issues such as power failures as well as by firewall-specific issues such as thefirewall crashing or a high-availability failover, and therefore it should always beinvestigated in ...