Double-Check with Routers


This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."

Download it now to read this article plus other related content.

Double-Checking Firewalls
A firewall is only as good as its rule set. Creating and maintaining effective rule sets is difficult, and even the best degrade over time. The first indication of a problem is usually a compromise, such as a worm burrowing through the network.

You can use the internal and external router logs to flag and correct many rule set problems before they become problems. The external router logs will show all Internet traffic attempting to enter your network, and the internal logs will show what traffic actually got through. If the firewall is correctly configured, the internal router logs will show only the traffic that your external firewall rule sets are designed to let through. Conversely, the presence of restricted protocols will reveal rule-set errors.

Since firewalls are generally configured to log traffic that's blocked or violates policy, a misconfigured firewall may pass along dangerous traffic without recording it--but your routers will.

By aggressively monitoring the logs, you can detect and correct errors and misconfigurations before they are exploited.

Proving IDSes Work
IDS false positives act as the proverbial boy who cried wolf, draining IT security resources to hunt phantoms and, eventually, undermining security managers' confidence in their IDS's ability to issue accurate, actionable alerts.


    Requires Free Membership to View

monitoring router logs, you can fine-tune your IDS configurations to reduce false positives and refine IDS intelligence by verifying attacks and identifying their sources.

An IDS is essentially a sniffer with signatures for identifying suspicious and/or prohibited activities. Thus, at some level, IDS and router logs will show similar information. The big difference is that a router can distinguish traffic's ingress and egress points, while the IDS simply sees the traffic. This becomes increasingly important when dealing with multiple network routers, since the router logs can provide information for making more informed response decisions.

For example, in the case of a worm outbreak, an IDS only sees that there's malicious traffic traversing the network. Since the IDS may only log the one or two entries that triggered the signature--performance trumps logging--you wouldn't see all of the traffic. But, the router log would show that the source of the worm is the extranet connection to your partner organization, not your Internet-facing firewall.

What's tricky is getting this information and making it meaningful. Scripts can pull the logs at regular intervals, allowing you to compare their entries to what's seen by the IDS. Some IDSes allow you to write scripts that pull router logs for near-real-time verification of suspicious activity and alerts.

Security Workhorses
While routers can be used to audit firewalls and IDSes, the same principles can be applied network-wide to any device that generates logs.

Since many organizations run VPN concentrators parallel to firewalls, router logs can reveal attempted attacks against the VPN device; since VPN logs typically record only successful transactions, they won't yield the same information.

Routers can also complement honeypots. A honeypot is designed as a hacker target and usually has limited or no security protection. Router logs can be used to audit honeypots, just as they are used on "live" security devices, giving security managers an added level of intelligence on attack methods and sources.

Routers can be more than just traffic cops: They're investigators, auditors and enforcers. While they're not robust as a security solution, they can augment and enhance the security provided by core network security devices.

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: