Firewall Log Analysis for Check Point Firewall-1, Cisco PIX and Netscreen

As the primary perimeter defense for most networks, firewalls can often be an import intrusion detection and forensic tool. So, for those serious about information security, understanding firewall logs is extremely valuable. This article is a primer on log analysis for a few of today’s most popular firewalls –Check Point Firewall 1, Cisco PIX, and NetScreen.

For those with the resources to justify a 24x7 staff of security professionals and associated infrastructure or an outsourced team of pros, logs can be analyzed in real-time. For others, they may be processed in batch. Either way, your firewalls may have more to tell you security-wise than any other type of system. There are countless illustrations of this.

Before virus engine signatures were released for both Code Red and Nimda, firewalls were telling the story of these new worms. Firewalls were backed up with connections from newly infected hosts. Conscientious security administrators listened to their firewalls and, investigating these hosts, were among first to identify the malicious code. The same goes for the OPASERV worm.

Firewall logs were filling with alerts of denied connections, or in some cases simply too many allowed connections. Of course, investigating some of the top talkers in the firewall logs revealed the problem. What we are talking about is early warning about major outbreaks. Further, most would be surprised how, in my work (enterprise security monitoring), we routinely find Trojan horses and root kits trying to phone home through firewalls (usually via IRC). These Trojans are more and more common with the increasing numbers of mobile users and more porous networks in general.

They are almost never identified by any type of network or host-based IDS because they appear to be normal traffic and are so numerous and changing. Lastly, regarding forensics, most firewalls are single points of entry or nearly so. Presumably, any compromise or attack that comes from the outside world should leave some kind of fingerprint on the firewall logs.