Firewall logs must be periodically reviewed to ensure that the firewall is operating in a secure and functional manner.
The collection and maintenance of firewall logs is critical in determining the security of a firewall system and the assets it protects. In firewall logging – all suspicious activity as well as firewall configuration management must be logged in sufficient detail to assist with the identification of unauthorized access attempts. In firewall logging – logs must be routinely backed up and stored in a secure location.
Firewall logs must be periodically reviewed to ensure that the firewall is operating in a secure and functional manner. Security logs must be analyzed to determine potential security attack sources and attack classes. This information can then be used to further harden the firewall and its defense system.
As part of firewall security standards, firewall logging is critical to the operational requirements of any firewall system. Logs must be routinely analyzed to identify any suspicious activity or security breaches. It is recommended that a graphical analysis tool be used to interpret firewall logs and provide reporting. This must be used in conjunction with firewall alerting and a security escalation procedure. The use of log mirroring is critical in ensuring that a secondary copy of the security log is sent to and stored on a separate system to that of the firewall. This is to protect against log tampering in a situation where the firewall is compromised and an intruder “hides their tracks” by deleting or manipulating the primary security log. In this event the secondary logs are protected from security log tampering.
The minimum requirement with regards to “Firewall Logging” is:
1. Packet logging must be enabled and set to suitable granular (detailed) level (i.e. based on a security risk assessment).
2. A suitable logging level must be deployed to capture potential security attempts but not generate excessive overhead on the firewall system
3. Firewall logs should be time-stamped, rolled nightly and backed up at least weekly.
4. Firewall logs should be regularly moved offline (protected storage) and kept for at least 12 months.
5. Firewall logs must be routinely reviewed to assist with security analysis.
In addition, the recommended requirement with regards to “Firewall Logging” is:
6. Firewall logging should be implemented using log mirroring. This requires one of the security logs to be mirrored to a second server. This is to ensure that firewall logs are continuously available and not easily susceptible to log tampering.
Firewall logging provides the ability to determine if any unwarranted security attempts or breaches have occurred (or are occurring). If properly reviewed, firewall logs allow stronger security policies to be developed and enforced.
In the previous discussion about functional requirements, you should also read the other series about firewall security – Firewall contingency planning. Contingency plans must be prepared which address the response and action procedures that are to be taken in the event of various network firewall security related issues. Read more here!
- Business firewalls – the knowledge and guidelines
- Setting up the routers – how to guidelines
- Router IP address – which IP address to use
- Firewall ports and security guidelines
Recent Comments