Firewall Logging

It works based on IP address and Port Numbers

🚦 Firewall Logging

A firewall, at its most basic form, is created to stop connections from suspicious networks. It inspects the Source address, Destination address, and the Destination port of all connections, and decides if a network can be trusted.

For simplicity, we can aggregate information on the Source Address, Source Port, and Destination Address and Destination Port. We can view this information as an identifying quality of any attempt to connect, as tracked by the firewall.

• Protecting the environment from threats from internal and external (Internet) sources.

• Acting as an investigative resource for security professionals who need to track how a breach penetrated the firewall.

The logging feature documents how the firewall deals with traffic types. These logs offer insights into, for example, source and destination IP addresses, protocols, and port numbers.

When and why firewall logging is useful

• To see if new firewall rules work well or to debug them if they do not work properly.

• To discover if any malicious activity is occurring within your network. However, it doesn’t offer the information you need to isolate the source of the activity.

• If you identify repeated unsuccessful tries to access your firewall from a single IP address (or from a group of IP addresses), you may wish to create a rule to stop all connections from that IP.

• Outgoing connections derived from internal servers, for example, web servers, may show that someone is using your system as a launch pad. They could be launching attacks against computers on other networks from your system.

➖ Linux Firewall Logs

The Linux kernel has a packet filtering framework called netfilter. This framework lets you permit, drop, and modify the traffic that comes in and out of a system. A tool, iptables furthers this functionality with a firewall, which you can configure using rules. Additional programs, like fail2ban, also rely on iptables to block attackers.

Working with and interpreting iptable firewall logs To create firewall logs, the kernel needs to be firewall logging enabled. By default, matched packets are logged as kern.warn (priority 4) messages. You can change the log priority with the --log-level option to -j LOG.

The majority of the IP packet header fields are disclosed when a packet matches a rule with the LOG target. By default, firewall log messages are written to /var/log/messages.

➖ Windows Firewall Logs

Microsoft Windows has a built-in firewall. The firewall does not log any traffic, by default. However, you can choose to configure the firewall to log connections that are permitted and traffic that is dropped. If you authorize Windows firewall logging, it creates “pfirewall.log” files in its directory hierarchy. You can see the Windows firewall log files via Notepad.

Interpreting the windows firewall logs

Your Windows Firewall log will look something like the following:

Track internet activity with windows firewall log

Here is an analysis of the key aspects of the above log:

1. The time and date of the connection.

2. What became of the connection. “Allow” means the firewall permitted the connection, while “drop” means it has prevented it.

3. The kind of connection, TCP or UDP.

4. The IP of the source of the connection (your PC), the IP of the destination (your desired recipient, e.g. a webpage), and the port used on your computer. You can use this to identify any ports that need opening for software to work. You should also look out for any suspicious connections, as they may indicate malware.

5. Tells you if this connection was your computer receiving a packet of data or sending one.

➖ How to Analyze Firewall Logs

Firewall logging, especially of permitted events, can be helpful for discovering potential network security threats. An organization generally places strict protection on assets that should not be freely accessible. These may include internal corporate networks and the workstations of employees. Typically, no unmediated inbound connection to these systems is allowed.

What to look for when performing firewall log analysis Once you have gathered the firewall logs and started the process of analyzing the logs, you can decide what to look for in the log. You should refrain from only looking for “harmful” events. Your firewall logs not only help you isolate compromises and incidents, but they can also help you specify the normal operations of the firewall.

One way to see whether the behavior that has been logged is suspicious is to see what the normal operations are and then to note the exceptions.

Some events should always cause suspicion and prompt further investigation. They are as follows:

• Authentication permitted

• Traffic dropped

• Firewall stop/start/restart

• Firewall configuration modifications

• Administrator access granted

• Authentication failed

• Administrator session ceased