Q

Examining firewall logs for evidence of intrusions

Can I use the firewall logs to find out if someone has accessed my company's network? What evidence should I be

looking at other than firewall logs? Also what would you recommend to block intruders? If you are asking about what to look for in the firewall logs, your chances of finding evidence are pretty slim. In fact, if someone actually did get through your firewall into your systems, there probably is no record of it in the logs. What you could look for is evidence of preliminary scanning of ports to see if someone has been preparing for an attack. If you have intrusion-detection systems, you can look at those logs.

Specific recommendations would have to be based on what vulnerabilities were exploited. However, in general, you should ensure that all the latest security patches for all your systems, including firewalls, have been applied. You should also ensure that your firewall settings are such that all access is denied except that for which you explicitly need to allow. Also, look at your outbound firewall settings. You may be able to stop or detect insider attacks, or Trojans that may have already been implanted inside your network. For similar reasons, if you do not have intrusion detection, you should add that.


For more info on this topic, visit these SearchSecurity.com resources:
  • On-demand webcast: Defense-in-depth
  • Featured Topic: Intrusion defense
  • Network Security Tip: Snort makes IDS worth the time and effort
  • This was first published in June 2004

    Dig deeper on Application Firewall Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close