Reporting and Incident Management for Firewalls The keys to unlocking your firewall s secrets Contents White Paper November 8, 2001 The Role Of The Firewall In Network Security... 2 Firewall Activity Reporting and Analysis... 3 Real Time Monitoring and Automated Event Response for Enterprise Firewalls... 3 Making the Most of Your Firewall Investment... 5 This paper will provide an understanding of how to maximize the effectiveness of enterprise firewalls. The paper begins with a discussion of what a firewall is and its role in securing e- commerce infrastructures. We then review the capabilities commonly found within most software firewalls. Critical functionality is then explored in terms of its value and benefits. Specifically, the practical use of firewall reporting is detailed along with the importance of real-time monitoring, event notification and automated response to close the loop on suspicious firewall activity. The combination of these technologies ensures comprehensive firewall effectiveness.
Legal Notice NetIQ Corporation provides this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document are furnished under a license agreement or a non-disclosure agreement and may be used only in accordance with the terms of the agreement. This document may not be lent, sold, or given away without the written permission of NetIQ Corporation. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Companies, names, and data used in this document are fictitious unless otherwise noted. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of the document. NetIQ Corporation may make improvements in and/or changes to the products described in this document at any time. 1995-2001 NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: Use, duplication, or disclosure by the Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of the DFARs 252.227-7013 and FAR 52.227-29(c) and any successor rules or regulations. AppManager, the AppManager logo, Knowledge Scripts, Work Smarter, NetIQ Partner Network, the NetIQ Partner Network logo, Chariot, Pegasus, Qcheck, ADcheck, NetIQ Security Manager, NetIQ File and Storage Administrator, OnePoint, the OnePoint logo, OnePoint Directory Administrator, OnePoint Resource Administrator, OnePoint Exchange Administrator, OnePoint Domain Migration Administrator, OnePoint Operations Manager, OnePoint File Administrator, OnePoint Event Manager, Enterprise Administrator, Knowledge Pack, ActiveKnowledge, ActiveAgent, ActiveEngine, Mission Critical Software, the Mission Critical Software logo, Ganymede, Ganymede Software, the Ganymede logo, NetIQ, and the NetIQ logo are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. Firewall Reporting and Incident Management 1
The Role Of The Firewall In Network Security Put simply, the firewall is a gateway between two networks. Typically, this gateway is implemented between a trusted network (your own corporate network) and the Internet. The firewall s job is to ensure that all traffic moving from one network to the other conforms to your organization s security policies. In other words, the firewall inspects all incoming and outgoing communications and decides whether to allow the data to pass through, or whether to reject or log the information. The existence of VPN technology enhances this decision to include a decision to encrypt the communication. For the purposes of this paper we will focus on the firewall and firewall management technologies. Virtual Private Networking (VPN) and VPN management is primarily an extension of firewall technology to include the encryption/decryption of particular traffic at the firewall. Common functionality found in Firewall products The firewall itself comes with capabilities for building the rules of allowable communications between networks. Basic functionality includes: Policy or configuration editors - Building and enforcing policies regarding the communication types, destinations and sources. For example, a firewall can be configured to prevent traffic from a specific source. Packet Filtering - IP packet filters are static, and communication through a specific port is always either allowed or blocked. Allow filters allow all traffic through at the specified port. Block filters always prevent the packets from passing through Out of the box support for common protocols such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Internet Relay Chat (IRC), H.323, and Transparent HTTP. The firewall can also be configured to support additional protocols by designating the protocol type and port to be used. Application layer filters analyze data streams for or from a specific application. This mechanism is used to protect against known exploits such as unsafe SMTP commands or attacks against internal Domain Naming System (DNS) servers Logging events to a designated log file. Advanced firewalls can log events to a remote location providing some level of consolidation of firewall events. Log file viewer is a simple application for viewing events in the log file. The more advanced log viewers are color coded to designate severity. In summary, the point of this functionality is to allow the user to define the rules of engagement between their network and the outside world. The firewall is the omnipotent Internet gatekeeper for your organization. It knows all and could control all, (at least as far as Internet traffic is concerned). However, IT organizations rarely extract the true value of their firewalls. For a variety of reasons the potential for enhancing the security of the enterprise goes unrealized. The truth is that most firewalls are actually misconfigured. "According to ICSA, 70% of sites with certified commercial firewalls are still vulnerable to attacks due to misconfiguration or improper deployment." January 1999 Good firewall administrators know that their firewall is keeping valuable secrets. More importantly, they know how to discover those secrets and use that information to better protect their enterprise. The following paragraphs will detail two complementary technologies that help these administrators maximize the organization s return on its firewall investment. 2 White Paper
Firewall Activity Reporting and Analysis Firewall log files represent a rarely-mined IT gem. These logs contain information on how effectively the firewall is performing, as well as a record of all incoming and outgoing activity that occurs. This valuable information can help companies optimize their networks, prevent security breaches, and manage employee Internet usage policies. More specifically, Firewall Reporting products from NetIQ add value to your firewall by allowing administrators to mine critically important security data on a daily basis. The reports generated by the products help IT groups: Take control of bandwidth usage by analyzing and reporting on user and department consumption Track and automatically categorize inappropriate Internet usage to address potential legal exposure Identify timing of bandwidth spikes in order to understand peak traffic loads and possible bandwidth drivers Identify bandwidth hogs which users or applications are taking up bandwidth Summarize, organize and analyze firewall errors Breakdown protocol usage Effectively manage limited budget dollars Accurately predict and justify bandwidth needs through trend analysis Real Time Monitoring and Automated Event Response for Enterprise Firewalls While its important to be able to analyze historical firewall activity, reporting alone cannot help you stop a security breach in progress. However, real time detection of suspicious activity along with automated response actions, such as that provided in Security Manager, can stop a hacker in his tracks. After extensive research and customer driven development, NetIQ has released its first integration module for Firewall Incident Management. This first module for CheckPoint FireWall-1 represents a significant step in ensuring 360 -effective perimeter security. Security Manager for CheckPoint FireWall-1 helps firewall administrators get above the noise created by thousands of firewall events to pinpoint and alert on selected or noteworthy events and activity. The following list details the most important benefits of Security Manager for CheckPoint Firewall-1. Consolidates Firewall-1 log file information CheckPoint Firewall-1 management servers maintain log files for a suggested 20 50 enforcement points. In large organizations, there is a need to consolidate and protect all log information through a single data store to meet company and industry mandated audit requirements. Detects Misconfigurations Misconfiguration of your firewall can result in your network being vulnerable to attack. With the vast number of configuration settings errors can easily creep into your system. Configuration errors can become even more prevalent when multiple administrators make changes to the firewall settings. The Security Manager for Check Point FireWall-1 module compares the firewall configuration file with identified security policies. This helps to ensure that the firewall Firewall Reporting and Incident Management 3
configuration policy is maintained. If the firewall is out of compliance, you receive an alert so that you can fix the problem. Backs Up Configuration Settings If your management server and firewall computers ever go down, it is important to be able to restore them as quickly as possible. Having a routine backup process ensures that you always have an up-to-date backup available to restore your system to its original state. The Security Manager for Check Point FireWall-1 module allows you to automate the backup process. After you specify the backup schedule and content, as well as the location of the backup file, this Integration module automatically performs the scheduled backups. Identifies External Attacks One way to protect your network from external attacks is to watch for malformed packets or unusual port scanning activity. If you receive a large number of port scans from the same host, it is likely that a malicious user is targeting your network. In response to such events, the Security Manager for Check Point FireWall-1 module can alert you to the suspicious activity. You can configure an automated notification to be sent to the members of a specific notification group to respond to the attack. Provides Single Point of Monitoring In today's large network environments, using multiple applications to monitor network activity can slow down the IT team and prolong problem resolution. Speedy identification of firewall issues can ensure that perimeter security is maintained. The Security Manager for Check Point FireWall-1 module gathers all firewall-related events, alerts, and other activities into one central location. This allows you to avoid sifting through numerous event logs to identify when attacks are underway, or when configurations are out of date. Additionally, to help maintain the integrity of this information it is stored in a secure central repository. Provides Automated Responses The Security Manager for Check Point FireWall-1 module can provide automated responses to detected threats. For example, some rules contain automated scripts to run in response to identified external attacks. For example, if the firewall cannot start up properly due to network problems, an email notification can be sent or an administrator can be paged to take care of the problem. 4 White Paper
Making the Most of Your Firewall Investment The table below summarizes the critical functions necessary to make the most of your firewall investment. Capability Policy Editor (P.E.) - Packet filtering P.E. - Application filtering P.E. - Protocol Support Firewall (base Product) Firewall Reporting Products Security Manager for Check Point FW-1 P.E. - Firewall event logging Log file viewer Reporting on bandwidth usage Reporting on categorized employee Internet usage Reporting on protocol usage Identify bandwidth hogs Identify timing of bandwidth spikes Reporting on firewall errors Consolidate firewall logs Detect firewall misconfigurations Backup firewall configuration stds. Real-time attack identification Automated policy based response actions Firewall Reporting and Incident Management 5