Firewalls and network devices are on the front lines of security and their logs contain important information for security professionals. These logs are useful when investigating security incidents, troubleshooting network issues and monitoring for suspicious activity. Learn the importance of collecting and analyzing network device log files.
- [Instructor] Firewalls and network devices are on the front lines of security, and their logs contain important information for security professionals. These logs are useful when investigating security incidents, troubleshooting network issues, and monitoring for suspicious activity. Firewall logs are one of the richest possible sources of information. When configured properly, firewalls create log entries for each and every connection attempted on a network, whether it was allowed or denied.
The log entry contains quite a bit of useful information, including details about the attempted connection, including the source and destination, ports and IP addresses, a time stamp indicating when the connection took place, and the identity of the firewall rule that either authorized or denied the connection. Let's think about some scenarios where these logs might be very useful. First, in the aftermath of a security incident, the logs may show all of the connections attempted on a network.
This likely includes the connections used by the attack's perpetrators and can be useful in identifying the method used to wage the attack, and possibly provide information about the identity of the attacker. Second, if a service experiences connectivity issues, these logs can help determine whether the firewall was the source of those issues. Administrators can search the firewall logs for denied connections involving the problematic system, and see if the service might require additional firewall rules to function properly.
Finally, during routine security monitoring, administrators can analyze firewall logs for anomalous detections that differ from past patterns of activity and require further investigation. Administrators may also want information about network connections that did not traverse the firewall, such as the connections within a data center that's behind a firewall. The most comprehensive source of information would be to conduct full packet capture and record the full content of every packet for future analysis.
However, this approach is not practical, because it requires massive amounts of storage. Instead, administrators often turn to network flow or net flow data. Net flow technology keeps records of network traffic similar to those captured on a telephone bill. Instead of recording the full contents of communications, netflow records some summary details, including the source and destination systems, the source and destination ports, time stamps, and the amount of data transferred in each direction.
Netflow information can be almost as useful as full packet capture while requiring only a tiny fraction of the storage. While netflow traffic doesn't tell administrators the content of the communication between two systems, it does provide information about which systems communicated, when they communicated, and how much data they exchanged. These details are often critical in assessing security incidents. Log analysis is tedious work, but fortunately for us, Security Information and Event Management systems automate the majority of log analysis tasks.
SIEMs compile log records from a wide variety of sources, including firewalls, network devices, servers, and applications, and perform detailed log analysis, identifying possible security issues. SIEM systems also give analysts the ability to comb through many log entries quickly, identifying the records relevant to a security investigation. For example, if an authorized user of a system is suspected of malicious activity, administrators may use the SIEM to pull all records of that user's activity from all systems and analyze those records in one place.
This saves the countless hours of work that would be required to pull logs from every possible system on the network and search those logs for that user's activity. Log analysis is a critical part of network security that facilitates investigations, assists in network troubleshooting, and allows the detection of suspicious activity.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security