Once you've made it through the challenging phases of firewall selection and architecture design, you're finished setting up a DMZ, right? Your rulebase should remain stable and you'll never have a need to make configuration changes. We can only dream! In the real world of firewall management, we're faced with balancing a continuous stream of change requests and vendor patches against the operational management of our firewalls. Configurations change quickly and often, making it difficult to keep on top of routine maintenance tasks. In this tip, we explore some ways to leverage the logging capabilities of your firewall to help keep things in order.
Let's take a look at four practical areas where some basic log analysis can provide valuable firewall management data:
- Monitor rule activity System administrators tend to be quick on the trigger to ask for new rules, but not quite so eager to let you know when a rule is no longer necessary. Monitoring rule activity can provide some valuable insight to assist you with managing the rulebase. If a rule that was once heavily used suddenly goes quiet, you should investigate whether the rule is still needed. If it's no longer necessary, trim it from your rulebase. Legacy rules have a way of piling up and adding unnecessary complexity. Over the years, I've had a chance to analyze the rulebases of many production firewalls, and I estimate that at least 20% of the average firewall's rulebase is unnecessary. I've seen systems where this ratio is as high as 60%.
- Traffic flows Also monitor logs for abnormal traffic patterns. If servers that normally receive a low volume of traffic are suddenly responsible for a significant portion of traffic passing through the firewall (either in total connections or bytes passed), then you have a situation worthy of further investigation. While "flash crowds" are to be expected in some situations (such as a Web server during a period of unusual interest), they are also often signs of misconfigured systems or attacks in progress.
- Rule violations Looking at traffic denied by your firewall may lead to interesting findings. This is especially true for traffic that originates from inside your network. The most common cause of this activity is a misconfigured system or a user who isn't aware of traffic restrictions, but analysis of rule violations may also uncover attempts at passing malicious traffic through the device.
- Denied probes If you've ever analyzed the log of a firewall that's connected to the Internet, you know that it's futile to investigate probes directed at your network from the Internet. They're far too frequent and often represent dead ends. However, you may not have considered analyzing logs for probes originating from inside the trusted network. These are extremely interesting, as they most likely represent either a compromised internal system seeking to scan Internet hosts or an internal user running a scanning tool – both scenarios that merit attention.
Your firewall audit logs are a veritable goldmine of network security intelligence. Use them to your advantage!
FIREWALL ARCHITECTURE TUTORIAL
How to choose a firewall
Choosing the right firewall topology
Placing systems in a firewall topology
Auditing firewall activity
|Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.|
This was first published in October 2005