Firewalls and Logging

Discussion in 'other firewalls' started by CrazyM, Nov 6, 2005.

Thread Status:
Not open for further replies.
  1. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    While you will see all kinds of recommendations and opinions on what to look for in a firewall, how often do you see logging mentioned? Is logging capability something you consider when evaluating a firewall? If not, it should be.

    Proper logging is a critical component to monitoring your overall security policy, use of the system(s), use of the network and for trouble shooting. Given the increase in home networks, logging ability should be considered for devices like routers as well as software firewalls when both are used.

    Obviously not all firewalls or routers are created equal when it comes to logging. So up for discussion:
    What type of events do you log?
    What type of events can’t you log?
    What type of events should you log?

    Regards,

    CrazyM
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I think that logging is very important especially for any rule based firewall that you have to configure and set up rules in. One good example is Kerio of course. Logging is necessary so you can see what's going on and the results (intended and otherwise) of your rules you put in place.

    In general, I like to enable as much logging of everything as possible when first installing and configuring any firewall, and then once things are set up and purring nicely, I tend to rely on logging less, although it's still important to keep ones eyes on the logs.
     
  3. Arup

    Arup Guest

    I would like to add, logging in routers is a vague issue for most, many router users are so self secure that they hardly even bother to turn on the router firewall thinking if they are doing NAT, they are safe. Most don't even know that some of the routers come default with WAN ping not blocked or firewall not enabled, they just turn it on and run, logging is another issue, lets take a poll on how many router users are using Wall Watcher or router's own log viewer, chances are, not that many. Routers is a very good idea but needs to be implemented properly and also checked with a software firewall from time to time for SPI, what worries me is that unlike a software firewall, a router's SPI is not transparent in any sense.
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    How the hell am I now supposed to post a reply with quotes if the two options (quoting) and (responding) seem to be mutually exclusive?
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi CrazyM,

    When I first created my ruleset, I logged *everything* - I learned a lot by studying the logs. I think it's also important to understand the terminology - port, protocol names, etc.

    Once I understood what was going on, then I became more selective.
    ------------------------------------

    **What type of events do you log?

    these deny & permit rules:

    Deny all other ICMP, all IGMP
    Deny all other Port 53 In-Out (other than my ISP)
    Permit ICMP 0, 3, 11 In
    Permit ICMP 8 In - ISP
    LAN rules
    Permit various applications outbound (just to watch the activity)
    --------------------------------------

    **What type of events can’t you log?

    Not sure what you mean here - don't know of any rule that I can't log
    ----------------------------------------------

    **What type of events should you log?

    I don't know how to answer that - perhaps would depend on one's own setup and networks.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Logging utilities for routers and firewalls should be included in the discussions as they can help make sense of what can be an overwhelming amount of data.

    Regards,

    CrazyM
     
  7. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    For me it's also important how easy it is to access the log. With CHX-I
    for example, I just click once on my quick-launch shortcut and I'm in the
    log. I will not use any firewall that requires more than a click or two to
    get to the log.
     
  8. Arup

    Arup Guest

    Also bear in mind, CHX is one of the few to show its state tables, wonder if any router would ever do that.
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    As this discussion will be covering software firewalls and routers, logging options will vary. Most rule based firewalls should have logging as an option for each rule. Others may have logging options, but be limited in what can be logged.
    Permitted/denied access to an admin interface, configuration changes, to name a couple.

    Regards,

    CrazyM
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    While easy access via software firewalls may be an additional consideration to content, accessing logs for routers will usually involve more than one or two clicks.

    Regards,

    CrazyM
     
  11. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    I agree that's true for me, but I'm not so presumptuous as to assume it's true for everyone, and certainly (not necessarily) the average end-user.

    You're not givin' me much to work with here, Jim! https://www.wilderssecurity.com/images/smilies/wink.gif
    (probably because I agree with what you've said above).

    Well, it depends on what options are available for a particular SOHO NAT router/ firewall appliance, or host-based firewall! Obviously, you can't log what's not available. For example, the Westell 327W that I'm currently using for my DSL connection provides several options for logging
    1) log inbound blocked
    2) log outbound blocked
    3) log all blocked
    4) log all inbound (blocked and permitted)
    5) log all outbound (blocked and permitted)
    6) log all inbound and outbound (blocked and permitted)
    That looks pretty good, doesn't it? Until you consider that in a PSF like NIS/NPF, you can decide to log or not log the consequences of each
    particular rule.

    Now, between the Westell 327W SOHO NAT Router, the old NIS/NPF 2002 PSF (Win 98 SE), Sygate PF on the Win 2000 Pro box, or the nVidia firmware-based firewall on the Win XP box, I've got more options than I can count! (And, at different times, I'll log different things on any of these.)

    The 'should' question is very situation-dependent (and I think you know that). What I log (and then bother to look at) varies widely in different situations.

    But, I think you left out something important -- and that's the ability to analyze the logs, via sorting and filtering. Most native product firewall logging utilities provide little, if any, capability along these lines. And that's why I tend to use Blake's LinkLogger or Dan Tseng's Wallwatcher for the SOHO NAT routers I've got. The only comparable utility I've found for PSFs is Sven's NIS LOG Viewer (but then I've led a sheltered life). I really hope there are other logging apps out there with similar capabilities for log analysis; I'm just not all that familiar with what they may be.
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Code:
    Established Sessions
     Session 81814FBC (10.10.10.5:2178)=>(64.91.226.241:80) http SIS_OPEN
      Created 00:00:02, Last heard 00:00:01
      Bytes sent (initiator:responder) [607:16562]
      Out SID 64.91.226.241[80:80]=>10.10.10.5[2178:2178] on ACL 104
      In  SID 64.91.226.241[80:80]=>154.xx.xxx.xx[2178:2178] on ACL 111  (14 matches)
    As noted earlier, not all firewalls or routers are created equal ;). While state tables/information is probably going a little beyond the scope of general logging, if you have the ability, it would help in monitoring and trouble shooting.

    Regards,

    CrazyM
     
    Last edited: Nov 6, 2005
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Kerio doesn't log, but if you've enabled "use Password" then it brings up an Alert for Password box for both of the above, which I've documented in testing several trojans.


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  14. Arup

    Arup Guest

    Intersting post CrazyM, care to delve what router this one is?
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Logging is necessary I would agree, but it also comes at a cost. Firewalls that log more will require more resources (CPU, RAM, disk space) and, for software firewalls, excluding these logs from anti-virus scans is important.

    From a security perspective, logging all traffic - allowed and blocked - is important since many configurations may not be tight enough to block all malicious traffic. Windows does not make this any easier with svchost being a problem - blocking it completely will lose network connectivity in most cases while allowing it completely will leave a system vulnerable to uPnP and RPC/DCOM exploits (MyDoom, Welchia/Nachi, etc). Therefore being able to review what has been allowed can help identify any suspicious behaviour.

    Log analysis is important too and those interested may wish to take a look at LogAnalytics which can produce charts (with modues for several software firewalls) though it does require IE with ActiveX to display the 3D graphs.
     
  16. Arup

    Arup Guest

    Well the inbound logs on my CHX hardly consume any resources that would cause me to worry, no slowdowns either, even with ZAP logs, I run on a unprotected and irresponsible and infected ISP which pings my ports 135 and 445 ever few seconds, that way my system should crawl to a halt.
     
  17. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Well hopefully discussions like this will get users to delve a little further into the capabilities of their software/hardware.

    It does compared to some. Just need to convince users when looking at routers to go beyond asking will it let me play games or download music :rolleyes: When these things do not work logging certainly helps to trouble shoot and resolve connection issues. Having proper logging as an option, even if not enabled by default, can go a long ways.

    With all the options you (and others) may have available it does make for interesting considerations in what to log and where.

    Interpreting and analyzing logs is almost a topic in itself. The use of utilities like the ones you mentioned go a long ways in sorting through large logs that may include all inbound and outbound traffic.

    Regards,

    CrazyM
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    This same exclusion could help for those using third party software for monitoring/collecting logs from routers on their systems.

    Logging all traffic raises another feature/ability to look for: Can your firewall, router or logging utility archive logs daily, weekly, monthly? Logging everything is going to add up quickly.

    Regards,

    CrazyM
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    My logs pretty much follow a pattern. I would guess 90% are probes to the trojan ports, often in blocks from the same source indicating perhaps a worm sending out a scan:

    http://www.rsjones.net/img/portscan.gif

    Another block of scans is to the same port, from different sources, indicating that my IP for this session was used at one time by someone else - as a server, perhaps. The scan always stops when I disconnect and reconnect.

    http://www.rsjones.net/img/39992.gif

    A web site I visit often, sends this probe, always to the same port:

    http://www.rsjones.net/img/33435.gif

    By definition, fcp is probe from the Internap FCP (Flow Control Pattern) device.

    I wrote the webmaster and it was explained:

    ---------------------------
    The source traffic is a network performance probe set, assessing
    network health between your site, and one of ours.

    This scan only occurs during periods where traffic from your network to a
    host inside a section of network optimized by our product is significant
    enough in size, or duration, to warrant optimization.

    The nature of the probes is benign, and if you examine closely, you'll find
    that it's fairly identical to traceroute (udp, icmp).
    ----------------------------

    And of course, the usual influx of messenger spam on ports 1026 etc.

    I keep a list of unusual ports that show up, such as 123, 1000, 1080, 2745. A check often reveals use by trojans/virus.

    A good source of information about ports is the port lookup at

    http://isc.sans.org/

    No. I manually start a new log each month and file old ones by date.

    I check the log daily and copy/save the entries I want to investigate.

    I don't log suspicious packets (ACK, FIN, etc)

    I know that LinkLogger and others do much more in-depth analysis of logs, but you need other software for that.

    I just analyze my logs for fun, and it's a good learning experience.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  20. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Seeing those Kerio logs brings up something else to consider in logging - formatting.
    While this may not seem like a big issue, if you should ever have to submit logs in regards to an incident, agencies involved may expect or look for certain content.

    Protocol, source IP and port, destination IP and port, action taken (denied/permitted), date and time stamps (do you have the option to specify time zone, time by msec?).

    It has been awhile since I have looked at/used Kerio, but do the saved logs show "localhost" instead of the destination/source IP?

    Another formatting issue to be aware of is "source, destination" vs "local, remote". One requires documentation of direction (local/remote) while source/destination is implicit. (just to keep life interesting I have seen one software firewall that has used both formats where there were different logging fields/components)

    Regards,

    CrazyM
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I cropped those images to fit in the message.

    Here are uncropped, both:

    a complete screen shot

    and the saved log

    You can describe what you were referring to about submitting logs. I assume a text file of the log would not be accepted for submitting, since it can be easily altered?


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  22. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    An easy to read text format would probably be preferred.

    My concern with the Kerio logs is the use of "localhost" in the logs. There is no record of your IP. If the logs were to be used by your ISP or other agencies to try and track down an abuse issue, your IP at the time of the event(s) in question is not there.

    From your saved log example:
    Code:
    1, [04/Nov/2005 21:39:33] Rule 'Deny All Remaining Protocols' Blocked: In TCP, 66-52-51-96.lsan.mdsg-pacwest.com [66.52.51.96:3837]->localhost:139, Owner: now owner
    1, [04/Nov/2005 21:41:23] Rule 'Deny All Remaining Protocols' Blocked: In TCP, 66-52-51-96.lsan.mdsg-pacwest.com [66.52.51.96:2779]->localhost:445, Owner: SYSTEM
    Entries for similar events from my logs:
    Code:
    309721: Nov  6 2005 17:41:05.477 PST: %SEC-6-IPACCESSLOGP: list 111 denied tcp 59.113.74.128(1199) -> 154.xx.xxx.xx(139), 1 packet
    309722: Nov  6 2005 17:41:35.085 PST: %SEC-6-IPACCESSLOGP: list 111 denied tcp 59.113.74.128(4337) -> 154.xx.xxx.xx(445), 1 packet
    If your ISP or any other agency needs to establish you as victim in any abuse investigation, it would be harder to do without your IP. With it properly recorded, your ISP could substantiate that you in fact had that IP at the time in question.

    Regards,

    CrazyM
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that explanation.

    Can you describe what an abuse investigation is?

    thanks,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  24. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    All I mean by that is if you wanted to report events in your logs (ie. potential attack - more that just the usual everyday scans we all see) to your ISP, another ISP, law enforcement, etc. Proper logs would be a must.

    Regards,

    CrazyM
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, thanks for the explanation.

    For an attack, wouldn't the attacker have to know your IP address? On dialup. it changes each session, AFAIK.

    Regards,

    rich
     
Loading...
Thread Status:
Not open for further replies.