What do you do with your firewall logs?

Most enterprises have firewalls installed at their gateway to the internet. These firewalls have been configured with rule-sets to allow / deny data packets from entering or exiting the organisation.  Firewalls also have other features like gateway anti-virus, VPN security, LAN segmentation etc. One such feature is the ‘logging’ feature.

 

Logging in firewalls has been under used in many organizations.  Installing a firewall is only the first step in securing the internal network. Having installed the firewall, a network administrator has to keep monitoring the firewall logs to find out whether there are any suspicious probes on enterprise’s network in order to fine tune the rule-sets.  Also in the case of any malicious intrusion incident happening firewall logs help in identifying the source of attack. Therefore it is essential to enable the logging feature in the firewall.

 

Items to be logged / monitored

The following are items of interest while monitoring firewall logs:

  1. Probes on ports on which applications do not run. If there are any such probes, it may mean that hackers are trying to send in Trojans through these ports
  2. Source IP addresses that are being dropped.
  3. Unsuccessful login attempts into the firewall device
  4. Packets with internal IP addresses but coming from the outside of the network (spoofing of internal IP)
  5. Modification or disabling of firewall rules to know whether they are authorized mofidications

 

In case any of the above events happen, firewalls can be configured to send out email / sms alerts or system notifications to the network administrators.

 

Storage Location

Now that we know what we need to log, we also need to know where we should store these logs.  Best practice from a security point of view is ‘not’ to store firewall logs on the firewall device itself.  In case a hacker successfully hacks into the firewall device, then the logs will be gone. Therefore, it is advisable to log on to another storage device. A remote secure syslog server can be used for this purpose. Log manipulation on a secure syslog server will be difficult for a hacker.  Alternatively, the logs may be moved on a periodical basis (say daily) to another storage media.

 

Log capturing and log monitoring are key aspects in a firewall administration. Organisations may consider outsourcing these activities to experts or deploy log analyzers internally. Whatever approach an organization takes, it is pertinent that firewalls should be configured to capture logs and firewall logs need to be monitored on a daily basis.