Examining firewall logs for evidence of intrusions
Can I use the firewall logs to find out if someone has accessed my company's network? What evidence should I be looking at other than firewall logs? Also what would you recommend to block intruders?
If you are asking about what to look for in the firewall logs, your chances of finding evidence are pretty slim. In fact, if someone actually did get through your firewall into your systems, there probably is no record of it in the logs. What you could look for is evidence of preliminary scanning of ports to see if someone has been preparing for an attack. If you have intrusion-detection systems, you can look at those logs.
Specific recommendations would have to be based on what vulnerabilities were exploited. However, in general, you should ensure that all the latest security patches for all your systems, including firewalls, have been applied. You should also ensure that your firewall settings are such that all access is denied except that for which you explicitly need to allow. Also, look at your outbound firewall settings. You may be able to stop or detect insider attacks, or Trojans that may have already been implanted inside your network. For similar reasons, if you do not have intrusion detection, you should add that.
For more info on this topic, visit these SearchSecurity.com resources:
On-demand webcast: Defense-in-depth
Featured Topic: Intrusion defense
Network Security Tip: Snort makes IDS worth the time and effort
This was first published in June 2004