Firewall Logs - Part Two

solarwinds_worldwide_llc over 6 years ago 2 minute read time

In Part One of this series, I dove into the issue of security and compliance. In case you don't remember, I'm reviewing this wonderful webcast series

to stress the importance of the information presented in each. This week, I'm focusing on the firewall logs webcast.

I chose the Firewall Logs webcast for this week because it is a known and very useful way to prevent attacks. Now, my takeaway from this session is that SIEMs are fantastic ways to normalize your logs from a firewall and also your infrastructure. You guys don't need me to preach on that, I know. However, I feel like when you use health performance and network configuration management tools, you really have a better solution all the way around.

Everyone (I think) knows that I'm not one to tell you to buy or purchase just SolarWinds products! So please do NOT take this that way. I will preach about having some type of SIEM, network performance monitor (NPM), patch manager (PaM), and a solid network configuration change management (NCM) within your environment. Let me give you some information to go along with this webcast on how I would personally tie these together.

Knowing the health of your infrastructure allows you to see anomalies. When this session was discussing the mean time to detection I couldn't help but think about a performance monitor. You have to know what normal is and have a clear baseline before an attack.
Think about the ACLs along with your VLANs and allowed traffic on your network devices. NCM allows you to use a real-time change notification to help you track if any outside changes are being made and shows you what was changed. Also, using this with the approval system allows you to verify outside access and stop it in its tracks as they are not approved network config changes. This is a huge win for security. When you also add in the compliance reports and scheduled email send-outs you are able to verify your ACLs and access based on patterns you customize to your company's needs. This is vital for documentation and also if you have any type of a change request ticketing to validate.
We all know we need to be more compliant and patch our stuff! Not only to be aware of vulnerabilities but also to protect our vested interests in our environment.

Okay, so the stage is laid out and I hope you see why you need more than just a great SIEM like LEM to back, plan, and implement any type of security policies you may need. This webcast brings up great points to think about on how to secure and think about those firewalls. IMHO, if you have LEM, Jamie's demo should help you guys strengthen your installation. Also, the way he presents this helps you to strengthen or validate any SIEM you may have in place currently.

I hope you guys are enjoying this series as much as I am. I think we should all at least listen to security ideas to help us strengthen our knowledge and skill sets. Trust me, I'm no expert or I would abolish these attacks, lol! What I am is a passionate security IT person who wants to engage different IT silos to have a simple conversation about security.

Thanks for your valuable time! Let me know what you think by posting a comment below, and remember to follow me @Dez_Sayz!

Top Comments

tallyrich over 6 years ago +3

I was once told (actually by a vendor) that the best tools are the ones that you use. The best monitoring in the world is no good if no one looks at it. Alerts are useless if they just get deleted. We…
rschroeder over 6 years ago +1

All right, I'll bite on the obvious bait and respectfully offer a nit-picking event: It sounds as if you're saying "firewall logs are a known and very useful way to prevent attacks." It's not exactly what…
Dez over 6 years ago +1

Hero!! rschroeder I'm so glad you commented You are absolutely correct in your comment and thinking! Hence why, I offered baseline's and more ways to verify security needs other than monitoring…

tinmann0715 over 6 years ago

We are organizing our perimeter now. I am currently dealing with 3 different models of firewalls: CheckPoint, Cisco ASA, Fortinet Fortigates. They are all in various stages of neglect (Solarwinds couldn't pick a worse time to drop FSM) We have LEM running and I am just itching to start send firewall logs to it. Much of what you wrote Dez is in our gameplan.
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel
tallyrich over 6 years ago

Point 1 is so important, but so often neglected. We get so busy with the "just make it work" attitudes and work loads that we forget that if we baseline we can more easily find anomalies and even "predict the future." (Of course a lot of that is built into our SolarWinds tools, but just sayin')
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel
vinay.by over 6 years ago
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel
mtgilmore1 over 6 years ago

Wait a minute! I am too busy reviewing my logs to comment.
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel
CourtesyIT over 6 years ago

It's one thing to have a decent firewall that logs traffic and activity (good or bad), it is another to have a SIEM Solution which is in lock step with your environment. The issue I see more often then not, is the organization not resourcing the SIEM Team enough to review the logs, review the policies, ensure all the patching is being done adequately. If there is no continual development on the SIEM solution then is it really doing the job it was deployed for?
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel