Auditing firewall activity

Once you've made it through the challenging phases of firewall selection and architecture design, you're finished setting up a DMZ, right? Your rulebase should remain stable and you'll never have a need to make configuration changes. We can only dream! In the real world of firewall management, we're faced with balancing a continuous stream of change requests and vendor patches against the operational management of our firewalls. Configurations change quickly and often, making it difficult to keep on top of routine maintenance tasks. In this tip, we explore some ways to leverage the logging capabilities of your firewall to help keep things in order.

Let's take a look at four practical areas where some basic log analysis can provide valuable firewall management data:

1. Monitor rule activity
System administrators tend to be quick on the trigger to ask for new rules, but not quite so eager to let you know when a rule is no longer necessary. Monitoring rule activity can provide some valuable insight to assist you with managing the rulebase. If a rule that was once heavily used suddenly goes quiet, you should investigate whether the rule is still needed. If it's no longer necessary, trim it from your rulebase. Legacy rules have a way of piling up and adding unnecessary complexity. Over the years, I've had a chance to analyze the rulebases of many production firewalls, and I estimate that at least 20% of the average firewall's rulebase is unnecessary. I've seen systems where this ratio is as high as 60%.
2. Traffic flows
Also monitor logs for abnormal traffic patterns. If servers that normally receive a low volume of traffic are suddenly responsible for a significant portion of traffic passing through the firewall (either in total connections or bytes passed), then you have a situation worthy of further investigation. While "flash crowds" are to be expected in some situations (such as a Web server during a period of unusual interest), they are also often signs of misconfigured systems or attacks in progress.
3. Rule violations
Looking at traffic denied by your firewall may lead to interesting findings. This is especially true for traffic that originates from inside your network. The most common cause of this activity is a misconfigured system or a user who isn't aware of traffic ...

To continue reading for free, register below or login
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
Email Address:



By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy
To read more you must become a member of SearchSecurity.com
As an existing member of the TechTarget network please activate your SearchSecurity.com account 
By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy



restrictions, but analysis of rule violations may also uncover attempts at passing malicious traffic through the device.
4. Denied probes
If you've ever analyzed the log of a firewall that's connected to the Internet, you know that it's futile to investigate probes directed at your network from the Internet. They're far too frequent and often represent dead ends. However, you may not have considered analyzing logs for probes originating from inside the trusted network. These are extremely interesting, as they most likely represent either a compromised internal system seeking to scan Internet hosts or an internal user running a scanning tool – both scenarios that merit attention.

Your firewall audit logs are a veritable goldmine of network security intelligence. Use them to your advantage!

ABOUT THE AUTHOR:

Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.