Your Firewall Logs: Most Important Tool?

If set up correctly your Firewall logs will tell you what is most important about your network, your employees, any trojans or viruses that are running in your network, etc.

How do we do that in a way that can effectively make a safer network?

SANS.org has a great pdf document that discusses this topic and more: http://www.sans.org/reading-room/whitepapers/firewalls/firewall-logs-811

check out Kitploit.com as well  (a copy of a sample is here):

webfwlog

 

In every packet of traffic connections between your internal and external machines (which hopefully your firewall sits inbetween) 4 pieces of information should be logged:

  1. Source IP address
  2. Source port
  3. destination IP address
  4. destination port

So what and why are we really looking for?

We are looking for  trojan and malware activity.

So how do we do that?

There are several lists of lots of trojans:

Even though this is an old list, old attacks come back to us, and we need to plug those holes.

http://www.jlathamsite.com/dslr/suspectports.htm

just a couple of interesting ones

109 Possible ADM worm Attacks

 

24 Possible Back Orifice 2000 (BO2K) Control Port, Back Orifice 2000, BO2K Attacks

 

The key is to allow only what is known for sure.

And disallow everything else.

Deny all   has to be in there after everything is listed.

 

Log traffic that gets denied. that is the key.

 

Also rotate the logs daily.

Retain for 30 days on the system.

Archive the older logs for a year.

Unless for legal reasons, trash the logs older than a year(contact your compliance officer – Attorney  for clarification)

Log unsuccessful logins

Outbound activity from internal servers.

Source routed packets.  http://www.comptechdoc.org/independent/networking/terms/source-routing.

 

http://oversitesentry.com/contact-us/

 

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.