Thread: What should be monitored in FW log?
View Single Post
  #8 (permalink)  
Old 2006-11-19
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 873
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: What should be monitored in FW log?
Sorry, I guess I should have explained these a bit better. My philosophy is that if someone paints a target on your back, they are getting in regardless of what you do. You need to throw enough hurdles in front of them that their activities get noticed and you need to consider what happens if they do not get stopped and they need to get out. Outbound monitoring is very useful in this regard.

"1. Anti-spoofing drops - particularly on the internal interface."

Improper IP's on the wrong interface is either a sign of misconfiguration or trouble. One example I see is someone who left their wireless card on and got associated with an outside wireless access point. We start seeing their WAP-assigned IP on the internal network. A helpful one is that a momentary outage on our WAN, not long enough to trip network monitors, will always show up as an anti-spoof due to the default route opointing to the firewall.

"2. Failed logins, including remote access"

Kind of self-explanatory. We use ICA certificates and I usually find expired certificates before the people call the Help Desk. In one case, a terminated employee's laptop was not collected by HR even though they told us it was.

"3. Outbound traffic attempts that should not be there (assumes you have a restrictive outbound policy) - I actually find this one very valuable if the network default route points to the firewall."

SMTP outbound from a device that's not a mail server. POP3 from people trying to connect to home email accounts. FTP uploads from people that are not permitted to upload. If you do get a compromised computer and it tries to establish outbound connections, this monitoring will show it fast.

It also shows non-company computers on your network trying to establish outbound connections. Skype really lights up the log files if you have a restrictive outbound policy.

"4. SmartDefense drops trying to come in on the external interface."

This one usually doesn't show too much, but the other day it showed an IP in China trying to hit us with a resource starvation attack (MSS = 0) for seven solid hours.

Ray
Reply With Quote