sparksoul.org

Firewall Log

Written by

sparksoul

in

Firewall Log :

A firewall acts as a security guard for your network, deciding which traffic is allowed to pass in or out based on rules. It provides an important defense at the network’s borders. Reviewing firewall logs can give you valuable information about security events. Here are some key things you can learn from firewall logs:

  1. Connections Allowed or Blocked: Logs show which connections are permitted and which are denied. If you see a lot of denied traffic, it could indicate that your firewall is being attacked.

  2. Port and Protocol Usage: Each log entry shows the protocol (like TCP or UDP) and port numbers used in connections. You can analyze these to detect unusual activity.

  3. Bandwidth Usage: The logs track how long each connection lasts and how much data is transferred. This helps monitor which users or departments are using the most bandwidth.

  4. Tracking Address Translations: Firewalls often use Network Address Translation (NAT) or Port Address Translation (PAT). Logs can track these translations, helping you trace which internal user accessed external servers or if internal attacks were launched.

Each firewall vendor might have a slightly different log format. For example, Linux firewalls use a “syslog” format, which includes a timestamp, device ID, and detailed information like IP addresses, ports, and rule severity levels. This data helps you understand and trace the flow of traffic through your network.

By regularly reviewing firewall logs, you can spot security issues early and adjust your rules to improve your network’s defenses.

Because firewalls collect a lot of data but often have limited storage space, it’s important to use a log collection tool to prevent losing data when logs fill up or are cleared. The amount of logging you can do depends on how fast your system can process events. If too many events are generated, the system can become overwhelmed, making it vulnerable to “blinding” attacks. In such attacks, an adversary floods the system with traffic, hoping that when the real attack happens, the system won’t record all of it. It’s also important to store logs for a long time in case you need to investigate how a past attack occurred.

Firewall Configuration Changes :

In the past, network security mainly focused on protecting the perimeter, assuming that keeping attackers out would keep everything secure. While modern security methods go beyond just the perimeter, firewalls still play a crucial role in protecting networks. Any service that connects to the internet should be behind a firewall. Firewalls should be configured to only allow traffic through authorized ports and for specific hosts.

At the internet edge, firewalls are often set up in a demilitarized zone (DMZ). This setup uses:

  1. An external firewall to control traffic between the internet and the servers in the DMZ.

  2. An internal firewall to protect the local network (LAN) from the DMZ.

Services like websites, email, VoIP, and remote access (like VPN) are hosted in the DMZ to protect the rest of the network.

Firewall Rulesets :

Firewall rules are organized in a list, where each rule is checked one by one from top to bottom. If a rule matches the traffic, it will be allowed or blocked based on that rule. The most important rules should be placed at the top, and the last rule usually blocks anything that doesn’t match the other rules (this is called “implicit deny”).

Key principles for setting firewall rules include:

  • Block spoofed addresses: Block traffic from private, loopback, and multicast IPs, as well as addresses that haven’t been allocated yet (bogons).

  • Block certain protocols: Block protocols like ICMP, DHCP, and SMB that should only work locally.

  • Consider IPv6 traffic: Ensure rules are in place for IPv6, either blocking it or allowing only authorized traffic, as many systems use IPv6 by default.

Regular testing (through methods like threat hunting or penetration testing) and reviewing incidents help ensure firewall rules are working properly.

Drop vs. Reject in Firewall Rules

In firewalls, when a “deny” rule is applied, it can be implemented in two ways:

  • Drop: The packet is discarded silently without informing the client. This makes it difficult for attackers to figure out if a port is open or closed but can also complicate troubleshooting for legitimate users.

  • Reject: The firewall sends a response to the client, either a TCP RST (for TCP traffic) or an ICMP “port/protocol unreachable” (for UDP traffic). This helps legitimate users by letting them know the connection is blocked but can give attackers more information.

Choosing between “drop” or “reject” depends on the balance between security and usability.

Egress Filtering: What It Is and Why It’s Important :

While many organizations traditionally focused on ingress filtering (blocking harmful traffic from entering the network), egress filtering is now just as crucial. Egress filtering controls what traffic can leave the network, helping to stop malware from communicating with external Command & Control (C&C) servers if internal systems are compromised.

Key guidelines for egress filtering include:

  • Allow only authorized ports: Only allow necessary applications to send traffic out through specific ports and, if possible, limit traffic to trusted Internet destinations.

  • Control DNS lookups: Restrict DNS queries to trusted DNS servers, like your own, your ISP’s, or secure public DNS services such as Google or Quad9.

  • Block bad IPs: Prevent access to IP ranges known for malicious activity, using lists like DROP.

  • Limit Internet access: Block any subnets or devices that don’t need to access the Internet, such as internal servers or specialized systems like ICSs (industrial control systems).

By applying these rules, you reduce the chances of malicious communication, though attackers can still use trusted services like cloud platforms to hide their activities.

Firewalking: A Network Mapping Technique :

Firewalking is a method used by cyber attackers to explore and map out a network’s internal structure by bypassing firewalls. The goal is to determine which Access Control List (ACL) rules are in place and identify the ports and source addresses allowed to communicate.

Here’s how it works:

  1. Identify Open Ports: The attacker first scans the perimeter firewall to find which ports are open.

  2. Send a Crafted Packet: Next, they create a packet specifically for one of these open ports. This packet has a Time To Live (TTL) value set to one more than the firewall’s limit.

  3. Wait for a Response: If the packet passes through the firewall and reaches a host on the internal network, that host will send back a notification indicating that the TTL has been exceeded.

How to Protect Against Firewalking :

To mitigate the risks associated with firewalking, organizations can:

  • Use Network Address Translation (NAT): This hides the internal IP addresses from attackers, making it difficult for them to determine the internal network layout.

  • Block Outgoing ICMP Messages: Preventing the firewall from sending back ICMP status messages can reduce the effectiveness of this technique, making it harder for attackers to gain information about the network.

By implementing these measures, networks can better defend against firewalking attempts and protect their internal resources.

Conclusion: Key Concepts in Firewall Management and Security

  1. Firewall Log Review: Regularly reviewing firewall logs is essential for identifying patterns in allowed and denied traffic. This analysis helps detect potential security breaches and ensures that firewall rules are effectively implemented. It provides valuable insights into bandwidth usage, port usage, and address translation, aiding in the overall security posture.

  2. Firewall Configuration Changes: Maintaining an effective firewall configuration is crucial for protecting internet-facing services. Firewalls should only allow authorized traffic while blocking unauthorized access. This is often managed through a demilitarized zone (DMZ) setup, where external firewalls control access between the internet and internal networks.

  3. Firewall Rulesets: The rulesets within a firewall’s Access Control List (ACL) dictate how traffic is processed. Important rules should be prioritized at the top, with a default rule to block any unmatched traffic. Principles include blocking suspicious IP addresses and ensuring proper IPv6 configurations to prevent unauthorized access.

  4. Drop vs. Reject in Firewall Rules: When a packet is denied, it can either be dropped (discarded silently) or rejected (responded to with an error). Dropping packets can obscure the attacker’s view of the network but can complicate troubleshooting for legitimate users.

  5. Egress Filtering: This process involves restricting outbound traffic to prevent compromised internal hosts from communicating with external command and control (C&C) servers. Implementing strict egress rules is essential for modern cybersecurity and requires careful configuration to avoid interrupting authorized activities.

  6. Firewalking: Firewalking is a technique used by attackers to probe firewall rules and map internal networks from the outside. It involves sending crafted packets to identify open ports and receiving notifications from internal hosts. Mitigation strategies include using NAT and blocking outgoing ICMP messages to protect the internal network layout.

Overall, effective firewall management involves ongoing monitoring, configuration, and adaptation to emerging threats, ensuring a robust defense against potential attacks.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts