BetterTechInfo

Regardless of your firewall vendor or monitoring method, there are five (5) statistics that will expose most security attacks / threats or at least alert you to significant suspicious activity. These approaches will also expose any misconfiguration issues in networks or systems and provide a minimal firewall log review policy.

Note: In order to take advantage of these statistics not only will some form of log monitoring be required, but also firewall rules that ACCEPT traffic will need to log activity alowed. An IDS/IPS could also be used to determine the ACCEPTED statistics described below.

1. Top 5 Blocked Destinations
These Destinations could be Public or Private IP Addresses, depending on the firewall deployment. The key here is to determine whether these IP Addresses getting blocked are legitimate or the result of a virus infection, malware infestation, or well-intending user run amuck. A good monitoring system or script will provide a method to view what firewall events made up this list. In most cases, the originating system is unable to communicate with the destination host; however, the mere fact that a high volume of traffic was blocked is often an indicator of more suspicious activity.

2. Top 5 Blocked Service Ports (Destination Ports)
Reporting service ports being blocked can reassuring, but just as a high number of Destinations being blocked could be an indicator of nefarious activity, blocked ports can signal the same activity. Service ports typically available most organizations include web, secure web, email, file transfers, and streaming media. Excessive Service Ports being blocked can indicate attempted information leakage, compromised hosts, or virus activity. Excessive Service Ports being blocked can also indicate broken applications, malfunctioning server software, or hosting provider upgrades that are being blocked by your firewall. Wikipedia’s List of TCP/IP Ports can help identify malicious ports as well as standard application ports.

3. Top 5 Accepted Sources
This statistic is a reality-check for servers, power-users, and services. Most organizations deploy some form of server services that provide file sharing, electronic communications, and printing services. Organizations should expect to see those systems or hosts as their top Sources or Top Talkers and when other systems or hosts appear in this Top 5 list, some measure of caution should be exercised to ensure each source is validated. Common causes for unexpected systems appearing on this could be recent upgrade/update for application or system (AV Update across all desktops or Microsoft Patch Tuesday update), network-based backup activity, or compromised system uploading company / personal data offsite.

4. Top 5 Accepted Service Ports (Destination Ports)
Once again, organizations traditionally provide a consistent framework of services in order to conduct business. These services include file sharing, network printing, email services, and web services. If the Top 5 Accepted Service Ports for your organization are not among these ports, a deeper inspection of the identified ports may be needed. Wikipedia’s Listing of TCP/IP Ports can expedite research.

5. Bottom 5 Accepted Sources
Lastly, it is important to understand the statistical importance of the most unique sources passing through your firewall because this method of rudimentary anamoly detection can be very insightful. Here you are again looking at traffic that passed through your firewall, but you’re concerned with the most unique traffic sources because often times attackers or insiders will try to hide in plain sight hoping a high volume of network traffic will obscure they tracks. This statistic will help isolate traffic that could be probing for access by users, employees, clients, etc.

Check-out Log Management, if you don’t have any system in place to automatically generate these and other useful statistics.

Small and medium-sized businesses looking beyond $75 DSL/CableModem router/firewalls and wishing to ensure their business is secured, can look to the Cisco PIX Firewall as a stable and reliable firewall platform that is easy on the pocket. Cisco PIX firewalls are great “standard” firewalls for small and medium-sized businesses that want a firewall they can install and forget about, not that we advocate forgetting about your firewall but you might forget you have it installed because they just work!

Cisco is phasing out the PIX models in favor of the newer Adaptive Security Appliance, which means these PIX firewalls can be picked up off eBay and technology refurbishing sites for a fraction of the original cost.

If you purchase a PIX or already have one, then you know it is often hard to answer “What’s Going On”. The logging produced from a Cisco PIX firewall is difficult to manage without some form of management platform regardless of whether the Cisco’s new web-based configuration / monitoring interface is installed.

We recommend PIX Logging Architecture (PLA) for organizations interested in seeing what’s going inside their Cisco PIX firewall as a strong open-source, low investment solution. (Excellent write-up on PIX Logging Architecture.)

Organizations open to spending more capital for logging / monitoring their firewalls can check-out this article on Log Management. 

CAUTION: We’re still installing theme packs and tweaking CMS templates, but the content is rolling in.

We specialize in IT, LAN, WAN, Security, Compliance, Privacy, Project Management, Technology services and consulting.

Our mission: to self-enable small and medium-sized business by offering our 30 years of Fortune 250 consulting expertise in the form of eBooks, white papers, blog posts, and webinars.

Contact us at info@bettertechinfo.com or leave a comment.