Logging and Detection of Suspicious Activity



next up previous contents
Next: Application Gateways Up: Firewall Components Previous: Alternatives to Packet

Logging and Detection of Suspicious Activity

Packet-filtering routers unfortunately suffer from a number of weaknesses. The filtering rules can be difficult to specify, usually no testing facility exists thus testing must be done manually, and the filtering rules can be very complex depending on the site's access requirements. No logging capability exists, thus if a router's rules still let ``dangerous'' packets through, the packets may not be detected until a break-in has occurred. In addition, some packet filtering routers filter only on the destination address not on the source address.

Some logging capability within a firewall system is important to ensure the secure operation of the firewall and to detect suspicious activity that might lead to break-ins. A host system with packet-filtering capability such as [Ran92] or [Rap93] can more readily monitor traffic than, say, a host in combination with a packet-filtering router, unless the router can be configured to send all rejected packets to a logging host.

What type of traffic should be logged? In addition to standard logging that would include statistics on packet types, frequency, and source/destination addresses, the following types of activity should be captured:

Logs will have to be read frequently. If suspicious behavior is detected, a call to the site's administrator can often determine the source of the behavior and put an end to it, however the firewall administrator also has the option of blocking traffic from the offending site. [GS91] and [PR91] contain useful advice on dealing with suspicious activity and break-ins.



next up previous contents
Next: Application Gateways Up: Firewall Components Previous: Alternatives to Packet



John Barkley
Fri Oct 7 16:17:21 EDT 1994