|
Double-Checking Firewalls
A firewall is only as good as its rule set. Creating and maintaining effective rule sets is difficult, and even the best degrade over time. The first indication of a problem is usually a compromise, such as a worm burrowing through the network.
You can use the internal and external router logs to flag and correct many rule set problems before they become problems. The external router logs will show all Internet traffic attempting to enter your network, and the internal logs will show what traffic actually got through. If the firewall is correctly configured, the internal router logs will show only the traffic that your external firewall rule sets are designed to let through. Conversely, the presence of restricted protocols will reveal rule-set errors.
Since firewalls are generally configured to log traffic that's blocked or violates policy, a misconfigured firewall may pass along dangerous traffic without recording it--but your routers will.
By aggressively monitoring the logs, you can detect and correct errors and misconfigurations before they are exploited.
Proving IDSes Work
IDS false positives act as the proverbial boy who cried wolf, draining IT security resources to hunt phantoms and, eventually, undermining security managers' confidence in their IDS's ability to issue accurate, actionable alerts.
By monitoring router logs, you can fine-tune your IDS configurations to reduce false positives and refine IDS intelligence by verifying attacks and identifying their sources.
An IDS is essentially a sniffer with signatures for identifying suspicious and/or prohibited activities. Thus, at some level, IDS and router logs will show similar information. The big difference is that a router can distinguish traffic's ingress and egress points, while the IDS simply sees the tra...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ffic. This becomes increasingly important when dealing with multiple network routers, since the router logs can provide information for making more informed response decisions.
For example, in the case of a worm outbreak, an IDS only sees that there's malicious traffic traversing the network. Since the IDS may only log the one or two entries that triggered the signature--performance trumps logging--you wouldn't see all of the traffic. But, the router log would show that the source of the worm is the extranet connection to your partner organization, not your Internet-facing firewall.
What's tricky is getting this information and making it meaningful. Scripts can pull the logs at regular intervals, allowing you to compare their entries to what's seen by the IDS. Some IDSes allow you to write scripts that pull router logs for near-real-time verification of suspicious activity and alerts.
Security Workhorses
While routers can be used to audit firewalls and IDSes, the same principles can be applied network-wide to any device that generates logs.
Since many organizations run VPN concentrators parallel to firewalls, router logs can reveal attempted attacks against the VPN device; since VPN logs typically record only successful transactions, they won't yield the same information.
Routers can also complement honeypots. A honeypot is designed as a hacker target and usually has limited or no security protection. Router logs can be used to audit honeypots, just as they are used on "live" security devices, giving security managers an added level of intelligence on attack methods and sources.
Routers can be more than just traffic cops: They're investigators, auditors and enforcers. While they're not robust as a security solution, they can augment and enhance the security provided by core network security devices.
|
