BetterTechInfo

Regardless of your firewall vendor or monitoring method, there are five (5) statistics that will expose most security attacks / threats or at least alert you to significant suspicious activity. These approaches will also expose any misconfiguration issues in networks or systems and provide a minimal firewall log review policy.

Note: In order to take advantage of these statistics not only will some form of log monitoring be required, but also firewall rules that ACCEPT traffic will need to log activity alowed. An IDS/IPS could also be used to determine the ACCEPTED statistics described below.

1. Top 5 Blocked Destinations
These Destinations could be Public or Private IP Addresses, depending on the firewall deployment. The key here is to determine whether these IP Addresses getting blocked are legitimate or the result of a virus infection, malware infestation, or well-intending user run amuck. A good monitoring system or script will provide a method to view what firewall events made up this list. In most cases, the originating system is unable to communicate with the destination host; however, the mere fact that a high volume of traffic was blocked is often an indicator of more suspicious activity.

2. Top 5 Blocked Service Ports (Destination Ports)
Reporting service ports being blocked can reassuring, but just as a high number of Destinations being blocked could be an indicator of nefarious activity, blocked ports can signal the same activity. Service ports typically available most organizations include web, secure web, email, file transfers, and streaming media. Excessive Service Ports being blocked can indicate attempted information leakage, compromised hosts, or virus activity. Excessive Service Ports being blocked can also indicate broken applications, malfunctioning server software, or hosting provider upgrades that are being blocked by your firewall. Wikipedia’s List of TCP/IP Ports can help identify malicious ports as well as standard application ports.

3. Top 5 Accepted Sources
This statistic is a reality-check for servers, power-users, and services. Most organizations deploy some form of server services that provide file sharing, electronic communications, and printing services. Organizations should expect to see those systems or hosts as their top Sources or Top Talkers and when other systems or hosts appear in this Top 5 list, some measure of caution should be exercised to ensure each source is validated. Common causes for unexpected systems appearing on this could be recent upgrade/update for application or system (AV Update across all desktops or Microsoft Patch Tuesday update), network-based backup activity, or compromised system uploading company / personal data offsite.

4. Top 5 Accepted Service Ports (Destination Ports)
Once again, organizations traditionally provide a consistent framework of services in order to conduct business. These services include file sharing, network printing, email services, and web services. If the Top 5 Accepted Service Ports for your organization are not among these ports, a deeper inspection of the identified ports may be needed. Wikipedia’s Listing of TCP/IP Ports can expedite research.

5. Bottom 5 Accepted Sources
Lastly, it is important to understand the statistical importance of the most unique sources passing through your firewall because this method of rudimentary anamoly detection can be very insightful. Here you are again looking at traffic that passed through your firewall, but you’re concerned with the most unique traffic sources because often times attackers or insiders will try to hide in plain sight hoping a high volume of network traffic will obscure they tracks. This statistic will help isolate traffic that could be probing for access by users, employees, clients, etc.

Check-out Log Management, if you don’t have any system in place to automatically generate these and other useful statistics.