Paul Melson wrote:

> The problem with firewall data is that, generally speaking, no one
> single event is likely to be really important. I find that firewall
> events are far more useful in the context of investigation, like what
> other traffic corresponds to this host that triggered an IDS event,
> and so on.

I wanted to expand on this comment a bit.

I think that most users who parse firewall logs with an IDS or event
mentality want to look for "deny" events which indicated some sort of
failed attempt to go to some port or host. There is nothing wrong with
that approach, but firewalls log a lot more than that.

If your firewall can log authorized traffic (some folks call these
"ACCEPT" events) then you might have a great audit trail of all network
connections that rivals what you can get out of netflow or direct
network session monitoring.

Each firewall technology also has many different "IDS" features that
detect port scans, port sweeps, worm behavior, virus attachments,
certain types of attacks and so on. These features vary from vendor to
vendor. If your SIM can log and normalize these types of events, it is a
very good compliment to NIDS events and can sometimes substitute when a
NIDS isn't present or an option.

And lastly, firewall logs could also include rule changes, administrator
logins, creating new admin accounts and so on. When auditing admins and
logging privileged users, most of the attention seems to be focused on
the UNIX and Windows systems and network devices like firewalls are
forgotten.

So if you have a SIM and you are only parsing firewall network deny
events, there is nothing wrong with this from an incident perspective,
but your firewall might be logging much more than access control list
violations.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]