I've been working on a list of the top ten data points to look for in Firewall logs. This is a work in progress. I'm not sure if I've got all the right events listed here or if the order is right.
#1 - Authentication Allowed (user from outside allowed in)
I ranked this event highly since this is the case were someone from the outside has been allowed in. I think these are most important as someone is now inside the Firewall. These sessions should always be audited to make sure that access was legitimate.
#2 - Traffic dropped (from outside addressed to Firewall)
Traffic addressed at the Firewall is a potential problem if someone on the outside can isolate the Firewalls address. If these are just scans of address ranges that include the Firewall they can be ignored.
#3 - Firewall Start / Restart
Another event that when it happens need to be explained. When the Firewall starts isn't as important as the restarts. A Firewall restart is an opportunity to discover important version information and for a new configuration to load.
#4 - Firewall Configuration changed
These events should always be audited and correlated with a change control record.
#5 - Interface up/down
Interface up or down defines when the Firewall may have stopped working. At best this is an inconvience to users behind the Firewall. At worst this is a sign of unstable Firewall software, the exploitation of a flaw that would signal the start of an attack, or worse.
#6 - Admin Access Granted
Someone has their hand in your cookie jar. do you know who and what they were up to?
#7 - Connection was torn down
When a connection between a host on the inside and one on the outside of the firewall is torn down the logs can reflect how long that connection lasted and how much infomration was transferred.
#8 - Authentication Failed (user from outside)
Someone just tried to get through the Firewall and the connection was not allowed. In order to even attempt to authenticate this outside user needed to know the protected IP address and port. Where did this attempt come from? Am I seeing multiple attempts from the same address?
#9 - Traffic Dropped (from outside not addressed to Firewall)
#10 - Admin Session Ended
No comments:
Post a Comment