It is easy to say that you should log events from your firewalls because doing so provides insight as to the status of your firewall, but there are a number of specific and tangible benefits to logging:
• Improves network administration, troubleshooting, and debugging
• Establishes a baseline
• Helps to determine the health of the system
• Provides intrusion detection and incident containment
• Facilitates performing forensic analysis
Improved Network Administration, Troubleshooting, and Debugging
If there is one certainty in firewall administration, it is that sooner or later you will need to determine why traffic that should be permitted by the firewall is not being permitted. There are literally dozens of reasons why the firewall may not be allowing the traffic, and the easiest method of determining which reason is the cause is to put the firewall into a debugging mode and then observe the logged data to identify the error or reason why the firewall is not allowing the traffic to pass. Be aware that debug logging can negatively affect firewall performance.
In addition, logging events from the firewall also reduces the time required to identify, troubleshoot, and isolate problems with the firewall. This frees the firewall administrator up to perform other administration tasks. In fact, one of the first troubleshooting steps when working with firewalls is to check the firewall logs to determine whether they can provide any insight on the current issue.
The only effective method of determining what is normal and secure behavior for a firewall is to monitor the firewall events and identify patterns of activity. Doing so will provide a baseline that makes it much easier to identify when situations are occurring that are outside of the scope of normal operations and functionality. For example, it is quite routine and normal for a firewall to block all sorts of traffic. By monitoring the firewall logs, you can develop a baseline of the kinds of traffic that are typically denied. Doing so makes it much easier to notice exceptions to the baseline, which in turn makes it easier to identify situations and circumstances that warrant additional investigation.
In conjunction with establishing a baseline, your firewall logs can also be used to determine what the health of the system is. By comparing the current logs to the known baseline, it is much easier to identify conditions that may result in negative performance. Doing so enables you to solve the issues that may be leading to the negative impact in a much more proactive fashion.
One of the most important reasons for monitoring your firewall logs is that the logs can alert you to potential security compromises and security incidents. I am reminded of a news story I read about a company that discovered their proprietary information had been compromised when they found their internal documentation when performing a search of the Internet. When a legal investigation was launched, it was discovered that the firewall logs contained information relating to the security breach. Because no one was routinely monitoring the logs, however, this information went undetected. Had someone been monitoring the logs, the incident might have been preventable.
The odds are that sooner or later you will have to deal with a security incident in your organization. The simple fact of the matter is that it is impossible to prevent every security incident, all the time. When the security incident occurs, one of the most important questions that will be asked is this: what happened? By collecting and archiving your firewall logs, you greatly increase your ability to determine what occurred so that you can begin the process of recovering from the incident. In addition, this information can be critical evidence in the event that legal action is necessary. To ensure the legal admissibility of your firewall logs, it is critical that your logging system provide a means of demonstrating that the logs have been unaltered and the data contained in the logs is accurate and adheres to the rules of chain of custody (for more information about the chain of custody, see http://www.cert.org/security-improvement/practices/p048.html). Many enterprise logging products provide this functionality as a standard function of their product. If your product does not do this, you can implement third-party solutions such as FSUM (http://www.slavasoft.com/fsum/) to provide file integrity checking and to ensure that the logs have not been altered (especially if the logs are written to a write once, read many [WORM] drive or similar media). Always review all data evidence policies with your organization's legal department to ensure that the process you are following will be admissible in court.
Was this article helpful?
Struggling to Optimize Your Site for the Search Engines? Uncover What You Need to Know to Perform Basic SEO on Your Site, and Help Get it Listed in the Powerful Search Engines. Are YOU Ready to Climb Your Way Up The Search Engine Rankings and Start Getting the FREE Traffic You're Looking For? Hundreds of places claim they can give you top rankings, but wouldn't you rather just learn how to do it on your own so you can repeat the process on any future site you build?