Learn about the security-relevant characteristics of firewall logs and how they can contribute to improving network security.
- [Instructor] Let's continue talking about capturing data. Firewalls are another rich source of network data. You can generate logs of various firewall activities. Firewalls utilize user-defined rules to decide on what to do with a packet that goes through. Firewall rules are primarily used for three actions, accept, drop or forward packets. Firewalls usually create a log entry when they detect and drop packets destined to an unexpected host or application.
This log entry contains information on where the packet originated and where it is intended to go. The origin address information is captured by an IP address and a port number found in the header portion of a packet. As you may remember, each internet host has a unique IP address. A port number is associated with an application running on the host. For example, a web server conventionally uses 80 as its port number.
Using a combination of the port number and the IP address, we know what application on which host is sending a packet to the firewall. On the other hand, the destination IP and port specified in a packet header indicate where the packet was heading. Firewalls drop packets when they're going to, or originating from, an unexpected IP and port combination. Take a firewall protecting a dedicated web server.
The firewall will reject any packet whose destination port number is anything other than 80 and record this incident. Firewalls provide a treasure trove of network security information. They allow you to develop useful insights about security threats by recording unauthorized attempts to reach various network resources. This is only possible because the logs store the rejected packets.
- Network security concepts
- The basic functions of a firewall
- Intrusion detection and prevention systems
- Using network data to improve security
- Using log servers to collect data
- Collecting application data
- Collecting OS data
- Network forensics
- Network security visualization