|
| |||
READABLE LOG FILES AID SECURITY Every security device on your network provides some type of logging capability. Human interpretation of these log files is necessary to ensure your network's security. Although going through router and firewall log files is extremely boring, you can garner valuable information. To find that information, you need a plan, the right tool, and a generous helping of patience. SYSTEMATIC LOGGING It's essential to develop a plan that outlines where you'll store log files and who will review them. Secure, centralized log file storage is inexpensive and well worth the small investment. If a device is compromised and its log files altered or deleted, then remotely stored logs provide the only clues to prevent future hacks. At least two people should review all log files. If the only person responsible for reading the log files is also abusing your network, you'll never know unless someone else is also reading the log files. Follow these rules about logging: * Always log failed attempts. It can take minutes or weeks to finally be informed that someone can't access a Web page, document, or application. Don't wait for the call from the help desk; log failed attempts and investigate promptly. * Log all system changes. This includes changes in permissions, rules, filters, etc. This provides both quality control and a security mechanism to track changes to the operational characteristics of network devices. These log file entries should match your system change documentation. * Log all
communications from a new server or new application. This is your method
for verifying that the application or server is secure and functioning
properly. Logging new server/app communications also establishes a
communications baseline for this addition to your network. Reduce logging
when you're satisfied that there aren't any security leaks or
access * Immediately investigate abnormalities. Denials of service and failed attempts to access devices on your network are a security administrator's top priority. Prioritize events and responses, and develop an appropriate reaction to each event level. READABLE LOGS Readability is intrinsic to effectively using log files: If you can't decipher the log file, logging is a waste of time. Most security devices do an exceptional job of logging, but they do a less-than-stellar job of couching that information in a readable interface. Symantec is one of these; the company makes an excellent firewall but doesn't provide a good interface in which to read the log files. I recently rediscovered how important it is to have a practical interface to your security information. A client's network was experiencing a number of continuously failed outbound attempts and repeated intrusion attempts from a variety of IP addresses. While trying to make sense of the logs generated by the organization's Symantec Enterprise Firewall, I looked at several tools designed to read Symantec log files, including Webtrend's Firewall Suite from NetIQ and Log Sage. Firewall Suite failed to provide a quick and easy method for managing in-depth information in a timely and useful manner, but Log Sage quickly processed the firewall security log and displayed the information in a useful and insightful interface. Using a third-party tool to decipher the firewall's log files, my clien and I discovered that the multiple intrusion attempts were coming from the same subnet and quickly solved the problem with a few lines in a router access list. We also discovered a server application that was filling the network with broadcasting information. After we stopped that service, network performance improved dramatically. THE LAST WORD Logging traffic isn't as important as being able to decipher the logged events and act on that information. When looking for third-party applications to interpret your logs, elaborate management reporting capability should take a backseat to usability and functionality at the administrator level. Also, consider using several tools to correlate and decode different log files. The information you need to correct or resolve security-related issues is usually in the log files--it's just a matter of digging it out. | ||||