This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."
Download it now to read this article plus other related content.
Conventional routers are the perfect network security auditing device. Take advantage of what they see.
|Scripts: Simple Log Parsing|
Routers see everything that crosses your network. They direct the flow from LAN to LAN, and--with their access control lists (ACLs)--can regulate access to network segments. But, you're not getting the most out of your routers unless you're using them to help audit your security devices.
Router logs are a treasure trove of security intelligence that, with proper analysis, can help you be proactive and correct firewall configuration errors, tune IDSes and measure your network's security posture. The concept is simple: Compare what arrives at your enterprise's front door with what actually gets through.
Routers can locally store logs, but they have storage limits. The first step is to create a syslog server to collect external and internal router logs; the server can also consolidate logs from multiple routers for efficient reviews. From there, you can audit just about any device that generates logs, but we'll focus on firewalls and IDSes. First, though, let's see how you can use scripts to cut the job down to size.
Follow the Script
Dumping router logs into a readable text file is easy. Pulling logs from every border and internal router, then parsing them for meaningful, actionable intelligence isn't as simple.
Scripts can automate the retrieval of router logs and parse them on a regular schedule. These scripts should reflect your security policies--basically what kinds of traffic shouldn't be allowed. Key types of external traffic to look for are RPC and SNMP queries and NetBIOS scans, none of which should legitimately be coming into your network. In the case of NetBIOS, closing TCP/UDP ports 135-139 and 445 can head off a potential attack foreshadowed by a light probing.
The testing scripts can be written in any language and created at the same time as rule sets. However, scripts written in PERL using the simple grep command are quickly modifiable and easy to use. Grep is a powerful complement to a scripting language because it lets you quickly isolate important traffic. It would be almost impossible, for example, to see a DNS attack through 20,000 log entries; however, by parsing the data to show only the 30 lines associated with the DNS, the attack becomes much easier to spot. (See "Simple Log Parsing".)
This was first published in March 2005