A Prevention & Notification System By Using Firewall Log Data By Pilan Lin 1
Table Of Content ABSTRACT... 3 1 INTRODUCTION... 4 2. Firewall Log data... 6 2.1 How to collect log data... 6 3. Prevention & Notification System Model... 13 3.1 Monitor... 13 3.2 Prevention... 14 3.3 Notification... 14 4. Conclusion... 16 5 REFERENCES... 17 LIST OF FIGURES Fig. 2.1 NetsSreen 5GT log messages format ------------------------------------------------ 7 Fig. 2.2 NetsSreen 5GT security levels ------------------------------------------------------ 7 Fig. 2.3 NetsSreen 5GT Web Interface ------------------------------------------------------ 8 Fig. 2.4 Cisco Pix PDM Interface ---------------------------------------------------------- 10 Fig. 2.5 Cisco Pix PDM enable logging Interface ----------------------------------------- 11 Fig. 2.6 Cisco Pix PDM syslog Interface -------------------------------------------------- 12 Figure 3.1 PNS preference --------------------------------------------------------------------- 13 2
ABSTRACT In this study we present a framework for designing a prevention and notification system(pns) by means of firewall log data. The prevention system consists of three components: monitor, prevention or notification, and action. We implement various firewall log data and categorized into six different groups: virus log, attack, audit, event, traffic, and vpn. By monitoring and analysis these different activities, prevention system can be triggered to block connection firewall inside users and outside internet automatically and also notification system will set alarm to certain users according to various thresholds setup by users. KEYWORDS: Prevention, Firewall, Log data 3
1 INTRODUCTION Nowadays, firewalls seem to be inevitable equipments in small, medium, large business enterprises, and also in personal computers. All kinds of firewalls are designed to prevent unauthorized access to. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All data entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. There are several types of firewall techniques: Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules which are so-called policy. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as Http, FTP and Telnet servers. This is very effective, but can impose performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. No matter what kinds of firewalls had been chosen, they all generate a large amount of log data. These textual files can be enormous and quite complex, making manual review unfeasible, which often results in both undetected attacks and false alarms [1]. Unfortunately, when users checked these logs, all the events have been happened. As a matter of fact, events happen all the time. Firewalls can only block activities in light of user-defined policies, in other words, if the user do not have much 4
experience to make the policies, then these firewalls can not do much better. In this study, we use log data in order to build a prevention system model, in which users can set preferences to block the connection between inside and outside firewall. 5
2. Firewall Log data Firewall log data is important information, such as indicators of spoofing and failed authentication attempts, abnormal protocol broadband, and virus attacks. Even for organizations with one or two firewalls, it can be difficult to take the time to perform firewall log analysis to determine whether and how hackers are trying to break in, or understand whether the latest worm is trying to exploit yesterday's newly announced vulnerabilities. For larger enterprises and government entities, the problem gets significantly worse. Firewall log volumes can reach tens of thousands of events per second, a volume that required specialty firewall log analysis and security event correlation software to make sense of. And firewall log analysis (both real-time and forensic) is becoming a fundamental requirement to meet newly enacted legislative mandates and regulatory rules. We collect real time firewall log data and categorize into six different types: virus log, attack, audit, event, traffic, and vpn. 2.1 How to collect log data In this paper, we demonstrate how to collect firewall log data for NetScreen 5GT, CheckPoint 380, and Cisco Pix501. 2.1.1 NetScreen 5GT Syslog: A protocol that enables a device to send log messages to a host running the syslog daemon (syslog server). The syslog server then collects and stores these log messages locally[2]. For NetsSreen 5GT, all messages consist of the following elements [3][4]: Date Time Module Severity Level Message Type Message Text 6
Fig. 2.1 NetsSreen 5GT log messages format The date shows the year-month-day when the event occurred. The time shows the hour:minute:second when the event occurred. The module shows the device type where the event occurred. The severity level places the event in one of eight levels of severity, using the hierarchical structure established by syslog, as shown in the following table. The message type displays a code number associated with the severity level. The message text displays the content of the event message. The event message includes the administrator s login name when the administrator performed an action. Figure 2.2 shows seven security levels in the syslog: Message Severity Level Description Type 0 Emergency The system has become unusable. 1 Alert Immediate action is required. 2 Critical Functionality is affected. 3 Error An erroneous condition exists and functionality is probably affected. 4 Warning Functionality might be affected. 5 Notification Notification of normal events. 6 Information General information about system operations. 7 Debugging Detailed information useful for debugging purposes. (currently not used) Fig. 2.2 NetsSreen 5GT security levels NetScreen 5GT provide two interfaces to manage firewall: web and telnet. For collecting log data, fig. 2.3 displays the web interface: 7
1. Main menu choice of ToolsConfiguration -> Report- Settings->Syslog 2. Fill in the IP and port number for the syslog server Fig. 2.3 NetsSreen 5GT Web Interface Syslog data will, then, send to the indicated server. 2.1.2 CheckPoint 380 Unlike NetScreen, CheckPoint implements OPSEC (Open Platform for Security) security to administer firewall. Check Point s OPSEC (Open Platform for Security) integrates and manages all aspects of network security through an open, extensible management framework. Third party security applications can plug into the OPSEC framework via published application programming interfaces (APIs) [5]. The OPSEC SDK includes the following APIs: CVP (Content Vectoring Protocol) used to implement content screening and antivirus checking. UFP (URL Filtering Protocol) used to control access to external Web sites. SAM (Suspicious Activity Monitoring) used to detect and block intrusion attempts. 8
LEA (Log Export API) used to retrieve and export VPN-1/FireWall-1 Log data. ELA (Event Logging API) used to enable third-party applications to log events into the VPN-1/FireWall-1 SmartCenter. UserAuthority used to provide network security information to third-party applications. AMON (Application Monitoring API) used to enable third-party applications to export their status information to VPN-1/FireWall-1. CPMI (Check Point Management Interface) used to provide a secure interface to the Check Point VPN-1/FireWall-1 SmartCenter Server and its omponents. Among Check Point s OPSEC, the LEA (Log Export API) Specification enables an OPSEC Partner written application (a LEA Client) to respond to log events generated by an LEA Server (usually a FireWall-1 Management Module) [6]. 2.1.3 Cisco Pix501 Like NetScreen, PIX logs are very well documented. Cisco s PIX is a well known firewall appliance. It is highly scalable, from a small office or home environment to an enterprise environment. PIX is very widely used. PIX can be configured using either a command line interface or the so-called PIX Device Manager (PDM), a graphical user interface, an HTML configuration application that comes with the PIX, shown in figure 2.4. 9
Fig. 2.4 Cisco Pix PDM Interface Once the PDM opens, click the Configuration icon on the top: Next, expand Logging in the treeview and then mark Logging Setup. 10
Fig. 2.5 Cisco Pix PDM enable logging Interface Make sure the Enable Logging box is checked as in the screenshot. Then, select Syslog in the treeview. This brings you to the page where syslog servers can be configured. Typically, your syslog server will reside on the internal network. As such, leave the interface at inside. Then enter the IP Address of your syslog server into the field IP Address. In the screenshot, this has already been done. Next, make sure UDP is selected as protocol. The port value of 514 is the default and also the standard. There should be little need to modify it. If you do, make sure you fully understand the implications as a wrong port can disrupt traffic [7][8][9][10]. 11
Fig. 2.6 Cisco Pix PDM syslog Interface After all these steps done, the syslog will be sent to inside syslog server IP 10.11.1.131 through UDP port 514. 12
3. Prevention & Notification System Model In our prevention and notification system model, we first collect firewall syslog data, and then users set preferences as thresholds. The system monitors syslog from firewalls and sending alarms or blocking connections depends on preferences as long as thresholds have been reached. 3.1 Monitor The PNS monitors all kinds of protocol services traffic: Ftp, Telnet, Mail, and Web. Parsed syslog data from syslog servers, PNS categorized these syslog data into six groups: virus log, attack, audit, event, traffic, and vpn. Among these different groups, PNS focuses on monitoring traffic and takes the action for prevention or (and) notification by users preference (shown in figure3.1). Figure 3.1 PNS preference 3.1.1 Preference There are three major required settings in the Preference you will need to look at: Service type: there are four service types traffic that PNS can monitor, FTP, 13
Telnet, Mail, and Web separately. One can keep monitoring on specific protocol traffic or more. Threshold: The threshold is based on the traffic flow used by the protocol. Normally, the MIS team members know the average traffic flow for different protocol used. Once the traffic flow large than average amount in a certain time, PNS will be triggered to take actions. Timerange: The time range can be set at every given time slot. PNS sensors abnormal amount of traffic volume and perform some actions according to the preference if the volume larger than the threshold, made by users, in any given time slots [11]. 3.2 Prevention In a word, prevention action is to block certain port(s) from inside firewall to outside firewall, for example FTP service uses port 21, when the traffic flow reaches the threshold in a given time range. The reason why PNS just block relative port but the connection is not to affect other functions. In figure 3.1 preference menu, one can not only set the time range for watching the traffic flow in a period of time, but also designate how long PNS to block the port and wait for administrator to deal with the exception. As soon as the situation has been solved, administrator can unblock the port or wait until the block time is expired. 3.3 Notification PNS has three options for notification: mail, sound, screen. Mail: Once the mail option check box has been marked, PNS displays a list of administrators that the warning messages will send to. The warning message shows the relative information include both the source and destination IPs, protocols, port number, time range, block time, and traffic flow. The mail receivers can be individual administrators or authorized user group(s). Sound: The monitor PC will sound beep beep for a while depends on the user s preference and followed by a hyper link to alert administrator. The hyper link leads administrator to a message screen shows same information as mail option does, and also a button to unalarm the PC. 14
sound. Screen: PNS pops up a window and displays relative information but no PNS records what happen every day that users can refer to. The history file describes time, user, and the changes of every preference. 15
4. Conclusion Firewalls are important intrusion detection and forensic tools. So, for those serious about information security, understanding firewall syslog is extremely valuable. Unfortunately, firewall log file supported by the manufacturer just list general events, nevertheless; the consumers need more behaviors to protect their systems. How to utilize these data to and make these logs more profitable is very important topic for potential firewall users. In our study, we tried to build an early warning system, a smarter and more function model as an auxiliary for firewalls. In future study, we will add SMS (Short Message Service) for notification to provide more real time service. Also monitors more activities to expand PNS s capabilities. 16
5 REFERENCES 1. Erbacher, R., Walker, K., & Frincke, D. Intrusion and misuse detection in large-scale systems. IEEE Computer Graphics & Applications (2002), 1, 38-48. 2. NetScreen Concepts & Examples 3. Juniper Networks NetScreen CLI Reference Guide 4. NetScreen Message Log Reference Guide 5. Check Point VPN-1/FireWall-1 OPSEC API Specification 6. Check Point FireWall-1 LEA (Log Export API) Specification 7. CISCO PIX FIREWALL SOFTWARE 8. Cisco PIX Firewall System Log Messages 9. Cisco PIX Firewall Command Reference 10. Using PIX Firewall Commands 11. An Intelligent Architecture for Traffic Controls in ATM Network. High-Performance Computing on the Information Superhighway, HPC-Asia '97 04 28-05 02, 1997 12. Models of Information Security Trend Analysis Tim Shimeall, Ph.D., Phil Williams, Ph.D. CERTÒ Analysis Center, Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA 17