cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Firewall Logs - Part Two

Product Manager
Product Manager

In Part One of this series, I dove into the issue of security and compliance. In case you don't remember, I'm reviewing this wonderful webcast series

to stress the importance of the information presented in each. This week, I'm focusing on the firewall logs webcast.

I chose the Firewall Logs webcast for this week because it is a known and very useful way to prevent attacks. Now, my takeaway from this session is that SIEMs are fantastic ways to normalize your logs from a firewall and also your infrastructure. You guys don't need me to preach on that, I know. However, I feel like when you use health performance and network configuration management tools, you really have a better solution all the way around.

Everyone (I think) knows that I'm not one to tell you to buy or purchase just SolarWinds products! So please do NOT take this that way. I will preach about having some type of SIEM, network performance monitor (NPM), patch manager (PaM), and a solid network configuration change management (NCM) within your environment. Let me give you some information to go along with this webcast on how I would personally tie these together. 

  1. Knowing the health of your infrastructure allows you to see anomalies. When this session was discussing the mean time to detection I couldn't help but think about a performance monitor. You have to know what normal is and have a clear baseline before an attack.
  2. Think about the ACLs along with your VLANs and allowed traffic on your network devices. NCM allows you to use a real-time change notification to help you track if any outside changes are being made and shows you what was changed.  Also, using this with the approval system allows you to verify outside access and stop it in its tracks as they are not approved network config changes. This is a huge win for security.  When you also add in the compliance reports and scheduled email send-outs you are able to verify your ACLs and access based on patterns you customize to your company's needs. This is vital for documentation and also if you have any type of a change request ticketing to validate.
  3. We all know we need to be more compliant and patch our stuff! Not only to be aware of vulnerabilities but also to protect our vested interests in our environment.

Okay, so the stage is laid out and I hope you see why you need more than just a great SIEM like LEM to back, plan, and implement any type of security policies you may need. This webcast brings up great points to think about on how to secure and think about those firewalls. IMHO, if you have LEM, Jamie's demo should help you guys strengthen your installation.  Also, the way he presents this helps you to strengthen or validate any SIEM you may have in place currently.

I hope you guys are enjoying this series as much as I am. I think we should all at least listen to security ideas to help us strengthen our knowledge and skill sets. Trust me, I'm no expert or I would abolish these attacks, lol! What I am is a passionate security IT person who wants to engage different IT silos to have a simple conversation about security.

Thanks for your valuable time! Let me know what you think by posting a comment below, and remember to follow me @Dez_Sayz!

16 Comments

All right, I'll bite on the obvious bait and respectfully offer a nit-picking event: It sounds as if you're saying "firewall logs are a known and very useful way to prevent attacks."

It's not exactly what you wrote.  But it's an impression I received from reading what you wrote.

Of course, having firewall logs and analyzing them IS a great way to understand what attacks have already happened.  And they're a great way to understand changes that have already occurred on a firewall--which may reduce or improve your security, or change it in some way.

But can they prevent attacks?  Hmmm.  Not unless your potential attackers know you're watching those logs in real time and are going to react powerfully when you see something happening that you don't like.  Powerfully enough to impact the potential attacker enough so they're dissuaded from attacking you.  This is where I crossed the line, where my nit picking went to an extreme.

There I've gone and taken things a little out of your context, put words in your mouth that you didn't offer us.  My apologies.

I love on-board firewall logs--especially on Sidewinder (now ForcePoint) firewalls.  There are great Unix queries to run against them both historically and in real time that show exactly what happened previously, or what IS HAPPENING in real time.  Still, logs are a reactionary tool, not a preventative one, in my humble opinion.

I have great appreciation for SIEM tools that can analyze complex and compound and multiple flows more efficiently than I could at a Unix CLI.  And when that SIEM can offer sophisticated analyses that tell me about MANY things that are happening, and that offer advice about their severity and what to do about them, well, NOW you're TALKIN' serious power and value!,

Better still, logs can help everyone understand the situation, the history, can show compliance, and are the best forensic source of information a SIEM can use for finding and fixing issues caused by malware and mal-people.

But can they prevent attacks?  I don't know . .  .  Tell me they can--I'm all ears.  Or "eyes" in this case of reading.

Did I miss your mark, Dez​?  I hope not by too much.

Product Manager
Product Manager

Hero!!  rschroeder​ I'm so glad you commented   You are absolutely correct in your comment and thinking!  Hence why, I offered baseline's  and more ways to verify security needs other than monitoring logs.  You, seriously, get me and my questioning 100% and appriciate greatly your  spot on commentary and security knowledge of word Play!

To answer your question, no.  The prevention of these attacks takes a proactive realtime approach and a lot of due deligence.  However, you WILL possibly reduce your mean time to detection by being aware of normal and understanding anomalies.

Thank you for starting  this conversation.

~Dez~

Level 20

The newer Cisco -X ASA firewalls which have IPDS built in can report back to Cisco Firesight and act on current events by doing things such as blocking traffic even silently dropping and reporting on the traffic.  It can shut down ports systems are on that are sources of nefarious traffic.  It's a little bit of an art to configure properly though.  Also the newer ISR routers from Cisco which we use on all of our WAN sites at the edge of our MPLS network also contain the firepower modules which act as IPDS at each WAN site and also report back to Cisco Firesight.  The logs from basically everything here (network, servers, security devices) all report back to splunk which is our log consolidation master SIEM.  I do have some of the intelligence from splunk sending important syslog to NPM as well.  We generate too much unfiltered log data for LEM to handle.  We are required to save unfiltered log data for extended periods of time... in some cases years.  We also use NCM for compliance and config management.

I do love how you lay it out though Dez!  Always interesting to hear your perspective on things... and now I know you're as hyper as I am sometimes too!  (Really it's just being passionate about what we do)

We have done this exact thing with FireSIGHT and ASA-X models.  But, as with all things networking, if you're not 100% certain of what is going to happen when you enable a policy in FireSIGHT, the ASA-X's can shut down important traffic that you may never have anticipated would be affected.  I believe it's not enough to follow logical and intuitive flows to teach yourself how to use FirePOWER and FireSIGHT--professional training should be purchased before moving forward with this solution, to ensure your new protection doesn't cause inadvertent problems to your users.

Like you, our environment sends more information to SIEM than LEM can handle, and we had to increase our Splunk size to handle it all.

Level 21

I think you make great points here that it really come down to needing a holistic and well rounded approach, not a single tool or single angled approach. 

SIEM solutions are often postured as security solutions but another benefit that I found that often doesn't get mentioned is the operational value.  For example as a result of having a SIEM in place that helps with Firewall log evaluation I have been able to identify several operational configuration issues that needed to be addressed and get those forwarded over to my network team.

MVP
MVP

SIEM tools are good and usually are at best near time and are usually after the fact.

Several other tools take in data feeds from all sources and learns what is normal and then is able to react to abnormalities....

Product Manager
Product Manager

I am a fan of splunk!

~Dez~

Product Manager
Product Manager

Web filtering is also a great way to try and block ransomware.  However, if we are not addressing user education then as soon as a device leaves it's not protected.  Security as a business forethought should include security tips and advice for away from work technology uses.  No one wants to be the person that brings the attack back to work, but they don't honestly know how to protect themselves outside of all of the wonderful work you guys are doing to protect your infrastructure.  The struggle is real!

~Dez~

MVP
MVP

Splunk is a great tool as in it accepts data from many sources and does log files very well.  The opportunities arise when you what to get the queried results out into some other tool...it doesn't share well with others.

MVP
MVP

I was once told (actually by a vendor) that the best tools are the ones that you use. The best monitoring in the world is no good if no one looks at it. Alerts are useless if they just get deleted.

We have a lot of tools here, most of which are unused or at under used. The team is tired of hearing me remind them that they can do this and that with SolarWinds, but I'm going to keep repeating it until they all get on board and begin to use the tools rather than just know we have them.

MVP
MVP

Nice

It's one thing to have a decent firewall that logs traffic and activity (good or bad), it is another to have a SIEM Solution which is in lock step with your environment.  The issue I see more often then not, is the organization not resourcing the SIEM Team enough to review the logs, review the policies, ensure all the patching is being done adequately.  If there is no continual development on the SIEM solution then is it really doing the job it was deployed for?

Level 13

Wait a minute! I am too busy reviewing my logs to comment.

MVP
MVP

MVP
MVP

Point 1 is so important, but so often neglected. We get so busy with the "just make it work" attitudes and work loads that we forget that if we baseline we can more easily find anomalies and even "predict the future." (Of course a lot of that is built into our SolarWinds tools, but just sayin')

We are organizing our perimeter now. I am currently dealing with 3 different models of firewalls: CheckPoint, Cisco ASA, Fortinet Fortigates. They are all in various stages of neglect (Solarwinds couldn't pick a worse time to drop FSM) We have LEM running and I am just itching to start send firewall logs to it. Much of what you wrote Dez is in our gameplan.

About the Author
I started in networking and security around 2002 by taking Cisco Certified Network Associate and Security+ courses from Central Vo-tech. This is where I fell in love with technology in general. From there I venture out to internships and started using the Engineers Toolset from SolarWinds which made me wonder about software. The company I was with purchased Cirrus which is now Network Configuration Manager (NCM) and I was officially hooked. I searched out for SolarWinds and well you guessed it I started working for them and believe it or not in sales. That was the only position open but I knew I wanted to be here. So I quickly worked my way in to the support side and became the first Sales Engineer and then the first Applications Engineer. Since I am a very curious person I have since in my 9 years of being at SolarWinds decided to pursue more education. Security is always a fascination to me so I started taking classes on INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) of the NSA. Then I went and took the CIW Masters for web development and ventured to databases. MCITP SQL Server and Development certifications that led me to a database development degree in college. I’m pretty much a jack of all trades and LOVE IT! This all applied to my work with SolarWinds as I wanted to be able to help customers solve their issues or needs. So knowing more information allowed me to do this successfully. I also dabbled in Cisco UCS management and currently taking classes to venture toward a CCIE (crossing fingers). NCM is a product that I have worked with since its beginning. I even had the opportunity to fly to the NSA to create templates for some of their devices. I used to be the sole MIB database controller so I’m definitely your huckleberry on MIBs and OIDs. As an Applications Engineer I focused on Network Performance Monitor, Network Configuration Manager, Web Performance Monitor, Enterprise Operations Console, Patch Manager, User Device Tracker, and the Engineers Toolset. See why I like to constantly learn new things I had a lot to be on top of! SolarWinds is a passion of mine still to this very day. My new role as a Product Manager for NCM is home to me. Funny how I circled around back to my favorite product that got me here in the first place. :) My goal is to educate and work with customers to leverage our products to their fullest degree!