[logs] SIM solution - Objectives ? (Firewall logging)

[Paul Melson]

On 5/25/07, Ron Gula <rgula at tenablesecurity.com> wrote:
> If your firewall can log authorized traffic (some folks call these
> "ACCEPT" events) then you might have a great audit trail of all network
> connections that rivals what you can get out of netflow or direct
> network session monitoring.

Just to clarify my original post, this is what I was talking about.
Logging 'deny' messages is a good idea, but it's almost secondary in
an investigative context.  If evilhost1 send 50 connections to your
address space, and 2 of those trigger IDS events, it's far more
important to get a list of what connections succeeded (e.g. 'accept'
events) than those that failed, because the successful connections are
likely to be attacks that connected to a running service.  That's
where you want to follow up.  All of the dropped connections are good
info to have (for fingerprinting the scan/attack), but they shouldn't
get you out of bed at 3am.


> So if you have a SIM and you are only parsing firewall network deny
> events, there is nothing wrong with this from an incident perspective,
> but your firewall might be logging much more than access control list
> violations.

For the above reasons, I would go as far as to say that there IS
something wrong with this approach.  After all, you only know what the
IDS detected and the firewall blocked.  But if there was a 0-day or
encrypted attack (think HTTPS), you don't have a record of that AND
you may have a system that's been compromised.

Logging 'deny' messages and not 'accept' messages from a firewall is,
in my opinion, a very outdated way of looking at firewall log data.
Firewalls play a part and I would never dismiss them outright, but the
war is over - the bad guys are successfully attacking and connecting
back through firewalls using generally allowed traffic.  If you can't
analyze allowed connections, that's a huge blind spot in your security
monitoring.

PaulM