A manager's guide to firewall logs

Few IT managers bother to review firewall logs to stay informed about the security of their networks. They should.

Windows networks are a constant target of probing and intrusion attempts by hackers and crackers. But, while managers can regularly review firewall logs to stay informed about the state of a network, they seldom do.

In the best possible case, a weekly or monthly review of firewall logs could ensure that your network is secure by heading off security breaches, slowdowns in browser speed and diminished network performance. The review can expose repeated attempts to crack your network, reveal internal systems that are infected with malware and help you identify misconfigured or infected systems in companies with which you have a business relationship.

What you can learn from a firewall log depends on the types of activity the software or device monitors. When selecting a firewall, consider one that provides comprehensive monitoring of inbound and outbound connections and intrusion attempts. When you configure the size of the firewall's log files, make them large enough to hold several weeks' worth of data; a log with only two days of tracking information does not provide enough data for a proactive response to potential security issues.

Pay attention to repeat offenders

Recent studies show that a system newly connected to the Internet will be probed for vulnerabilities within 10 minutes of being connected. Your firewall is no exception. All registered addresses undergo constant port scanning, on average every 20 minutes. You'll see endless attempts to connect to a single port and frequent attempts to connect to a group of ports. Most firewalls block port scanning attempts by default. Some allow you to lock out a specific address for a fixed period of time after a potential intruder scans more than 10 or 15 ports in sequence.

Port scans initiated from a variety of addresses are not a cause for alarm. But when you see the same address attempting sequential port scans over a period of weeks or months, you may want to verify the source address via a packet sniffer to make sure it's not spoofed and investigate the employee, contractor or business to whom the address is registered.

Watch for malware on internal systems

Downloaded Trojans, worms and spyware sneak onto desktop systems in spite of our best efforts to stop them. Some desktop malware will hammer the firewall with packets in an attempt to annoy, explore or propagate. (I remember one recent combination of HTTP on port 80 and Echo on port 7.) When you see inappropriate connection attempts to the firewall from a system on the internal network, investigate that machine immediately to confirm whether or not malware has been installed and, if so, take steps to remedy the situation immediately.

Misconfigured partner systems make waste of your space

Many companies have business relationships that require server-server or server-client communication with third parties. One of my clients has an independent contractor that uses an outside agency for public relations. After this contractor installed the agency's software, the firewall was bombarded with illegal authentication requests from the agency's server -- 15 to 25 connection attempts every 20 minutes all day long. There are at least two explanations for this behavior, a misconfigured or an infected server. In either case, the problem needs to be corrected because logging these blocked attempts needlessly consumes log file space and bandwidth that is better used for legitimate business activity.

Denial of service attacks

A firewall typically records hundreds or even thousands of blocked connections on a daily basis. If the firewall blocks all incoming traffic except the ports that you specifically enable, such attempts to penetrate your network are annoying but relatively harmless. Malicious users run software that generates connection attempts to a registered address every hundred milliseconds over an extended period of time. This produces a "lite" version of the better-known denial of service (DoS) attack. This type of probing can intermittently slow down Internet access, especially on links that are at or near capacity. Log records of blocking activity can confirm that you are or were the target of a "lite" or head-on DoS attack.

There are several sites on the Internet that monitor the real-time status of cyber threats. One recognized authority is the Internet Storm Center at isc.sans.org. This page displays a global map of cyber statistics created from an analysis of firewall logs around the world -- the database typically contains 36 million records on a daily basis and 240 million weekly records. To compare your network's data with the real-time status of networks in your region, drill down to country-specific statistics by clicking on a country on ISC's map. A color version of this map is available on the home page at www.dshield.org, an attack correlation engine with worldwide coverage.

If you review firewall logs on a regular basis, you may discover any of the problems mentioned above, or you may uncover other anomalies that interfere with network operation or performance. In addition to staying on top of cyber threats, you may be able to use the data in your firewall logs to successfully argue for an increase in your security budget.

Paula Sharick is a consultant and technical columnist who specializes in Windows configuration, support and security.

Read more on IT risk management