What should be monitored in FW log?

[yogi_ccse]

Hey guys (gals too, see folks i never forget gals, i dont know whether our CPUG has gals too:)

What should be monitored in FW logs?
In my view:-
1. denied packets? reasons for them and try to reduce noise
2. port scanning
3. malicous activity (but how to check it in logs)
4. ?
u need to tell me.
thx
Yogi

[RayPesek]

1. Anti-spoofing drops - particularly on the internal interface.

2. Failed logins, including remote access

3. Outbound traffic attempts that should not be there (assumes you have a restrictive outbound policy) - I actually find this one very valuable if the network default route points to the firewall.

4. SmartDefense drops trying to come in on the external interface.

Ray

[BarryStiefel]

Quote:

Originally Posted by yogi_ccse

Hey guys (gals too, see folks i never forget gals, i dont know whether our CPUG has gals too:)

Oh, there are a couple here, but I'm sure they're quietly laughing at us.

"Geeks", says one.

"Dorks", says the other.

[yogi_ccse]

Thanks Dude.
i am expecting some more from point of malicious activities to be monitored.?
is there any tool (Free) which can given such reports:-
1. denied packets.
2. por scanning
3. malicious atempts etc.

we r using fwlogsum but it says for dropped pkts, we also have snare but its in inside nw so cannot send cp logs to it.
thx
Yogi

[Robby Cauwerts]

Quote:

Originally Posted by yogi_ccse

is there any tool (Free) which can given such reports:-
1. denied packets.
2. por scanning
3. malicious atempts etc.
Yogi

Check Point has its Eventia Analyzer that does event correlation.
But there are a lot of other products that do +/- the same thing.
If you just want the reporting/graphs then take a look at Eventia Reporter

[yogi_ccse]

Hi,

Is Eventia reporter free? If not whats is its price? what needs to be done to use it?
Thanks.
Yogi

[chillyjim]

Quote:

Originally Posted by yogi_ccse

Is Eventia reporter free? If not whats is its price? what needs to be done to use it?

CPMP-EVA-5 US$18,000 List

Supports one SmartCenter/CMA and up to five devices

If you are running NGX (R60 or latter) it installs on a server and an object gets created in the SC for it.

It is a really easy product to get up and running. Its even pretty easy to get it doing useful stuff.

[RayPesek]

Sorry, I guess I should have explained these a bit better. My philosophy is that if someone paints a target on your back, they are getting in regardless of what you do. You need to throw enough hurdles in front of them that their activities get noticed and you need to consider what happens if they do not get stopped and they need to get out. Outbound monitoring is very useful in this regard.

"1. Anti-spoofing drops - particularly on the internal interface."

Improper IP's on the wrong interface is either a sign of misconfiguration or trouble. One example I see is someone who left their wireless card on and got associated with an outside wireless access point. We start seeing their WAP-assigned IP on the internal network. A helpful one is that a momentary outage on our WAN, not long enough to trip network monitors, will always show up as an anti-spoof due to the default route opointing to the firewall.

"2. Failed logins, including remote access"

Kind of self-explanatory. We use ICA certificates and I usually find expired certificates before the people call the Help Desk. In one case, a terminated employee's laptop was not collected by HR even though they told us it was.

"3. Outbound traffic attempts that should not be there (assumes you have a restrictive outbound policy) - I actually find this one very valuable if the network default route points to the firewall."

SMTP outbound from a device that's not a mail server. POP3 from people trying to connect to home email accounts. FTP uploads from people that are not permitted to upload. If you do get a compromised computer and it tries to establish outbound connections, this monitoring will show it fast.

It also shows non-company computers on your network trying to establish outbound connections. Skype really lights up the log files if you have a restrictive outbound policy.

"4. SmartDefense drops trying to come in on the external interface."

This one usually doesn't show too much, but the other day it showed an IP in China trying to hit us with a resource starvation attack (MSS = 0) for seven solid hours.

Ray

[RayPesek]

Quote:

Originally Posted by chillyjim

CPMP-EVA-5 US$18,000 List

Supports one SmartCenter/CMA and up to five devices

Jim, I think you accidentally quoted Analyzer, not Reporter. Reporter is a lot cheaper if you have only one gateway you want to monitor, $2,000 list if you have a 500 or less IP license, $5,000 list for unlimited IPs.

http://pricelist.checkpoint.com or http://pricelist.checkpoint.com/US/P...oduct=CPMP-EVR

Ray

[yogi_ccse]

Thanks RayPesek for clarifying both.

I feel checkpoint should give Eventia Reporter as free tool.
as people who want more will neway go for some SIM solution like eventia analyzer/ Cisco CSMARS, NetiQ, Netforensics etc.
Thanks.
Yogi.