• No results found

A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

A Prevention & Notification System By Using Firewall

Log Data

By

(2)

Table Of Content

ABSTRACT ... 3

1 INTRODUCTION ... 4

2. Firewall Log data... 6

2.1 How to collect log data... 6

3. Prevention & Notification System Model ... 13

3.1 Monitor ... 13 3.2 Prevention... 14 3.3 Notification... 14 4. Conclusion ... 16 5 REFERENCES ... 17

LIST OF FIGURES

Fig. 2.1 NetsSreen 5GT log messages format --- 7

Fig. 2.2 NetsSreen 5GT security levels --- 7

Fig. 2.3 NetsSreen 5GT Web Interface --- 8

Fig. 2.4 Cisco Pix PDM Interface --- 10

Fig. 2.5 Cisco Pix PDM enable logging Interface --- 11

Fig. 2.6 Cisco Pix PDM syslog Interface --- 12

(3)

ABSTRACT

In this study we present a framework for designing a prevention and notification system(PNS) by means of firewall log data. The prevention system consists of three components: monitor, prevention or notification, and action. We implement various firewall log data and categorized into six different groups: virus log, attack, audit, event, traffic, and vpn. By monitoring and analysis these different activities, prevention system can be triggered to block connection firewall inside users and outside internet

automatically and also notification system will set alarm to certain users according to various thresholds setup by users.

K

EYWORDS

:

(4)

1 INTRODUCTION

_________________________________________________________________________

Nowadays, firewalls seem to be inevitable equipments in small, medium, large business enterprises, and also in personal computers. All kinds of firewalls are designed to prevent unauthorized access to. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent

unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All data entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

• Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules which are so-called “policy”. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

• Application gateway: Applies security mechanisms to specific applications, such as Http, FTP and Telnet servers. This is very effective, but can impose performance degradation.

• Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

• Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

In practice, many firewalls use two or more of these techniques in concert.

No matter what kinds of firewalls had been chosen, they all generate a large amount of log data. These textual files can be enormous and quite complex, making manual review unfeasible, which often results in both undetected attacks and false alarms [1]. Unfortunately, when users checked these logs, all the events have been happened. As a matter of fact, events happen all the time. Firewalls can only block activities in light of user-defined policies, in other words, if the user do not have much

(5)

experience to make the policies, then these firewalls can not do much better.

In this study, we use log data in order to build a prevention system model, in which users can set preferences to block the connection between inside and outside firewall.

(6)

2. Firewall Log data

_________________________________________________________________________

Firewall log data is important information, such as indicators of spoofing and failed authentication attempts, abnormal protocol broadband, and virus attacks.

Even for organizations with one or two firewalls, it can be difficult to take the time to perform firewall log analysis to determine whether and how hackers are trying to break in, or understand whether the latest worm is trying to exploit yesterday's newly announced vulnerabilities. For larger enterprises and government entities, the problem gets significantly worse. Firewall log volumes can reach tens of thousands of events per second, a volume that required specialty firewall log analysis and security event correlation software to make sense of. And firewall log analysis (both real-time and forensic) is becoming a fundamental requirement to meet newly enacted legislative mandates and regulatory rules.

We collect real time firewall log data and categorize into six different types: virus log, attack, audit, event, traffic, and vpn.

2.1 How to collect log data

In this paper, we demonstrate how to collect firewall log data for NetScreen 5GT, CheckPoint 380, and Cisco Pix501.

2.1.1 NetScreen 5GT

Syslog: A protocol that enables a device to send log messages to a host running the syslog daemon (syslog server). The syslog server then collects and stores these log messages locally[2]. For NetsSreen 5GT, all messages consist of the following elements [3][4]:

• Date • Time • Module • Severity Level • Message Type • Message Text

(7)

Fig. 2.1 NetsSreen 5GT log messages format

•The date shows the year-month-day when the event occurred. • The time shows the hour:minute:second when the event occurred. • The module shows the device type where the event occurred.

• The severity level places the event in one of eight levels of severity, using the hierarchical structure established by syslog, as shown in the following table. • The message type displays a code number associated with the severity level. • The message text displays the content of the event message. The event message includes the administrator’s login name when the administrator performed an action.

Figure 2.2 shows seven security levels in the syslog:

Message Type

Severity Level Description

0 Emergency The system has become unusable.

1 Alert Immediate action is required.

2 Critical Functionality is affected.

3 Error An erroneous condition exists and functionality is

probably affected.

4 Warning Functionality might be affected.

5 Notification Notification of normal events.

6 Information General information about system operations.

7 Debugging Detailed information useful for debugging

purposes. (currently not used) Fig. 2.2 NetsSreen 5GT security levels

NetScreen 5GT provide two interfaces to manage firewall: web and telnet. For collecting log data, fig. 2.3 displays the web interface:

(8)

1. Main menu choice of ToolsConfiguration->Report- Settings->Syslog 2. Fill in the IP and port number for the syslog server

Fig. 2.3 NetsSreen 5GT Web Interface

Syslog data will, then, send to the indicated server. 2.1.2 CheckPoint 380

Unlike NetScreen, CheckPoint implements OPSEC (Open Platform for Security) security to administer firewall. Check Point’s OPSEC (Open Platform for Security) integrates and manages all aspects of network security through an open, extensible management framework. Third party security applications can plug into the OPSEC framework via published application programming

interfaces (APIs) [5].

The OPSEC SDK includes the following APIs:

z CVP (Content Vectoring Protocol) used to implement content screening and antivirus checking.

z UFP (URL Filtering Protocol) used to control access to external Web sites. z SAM (Suspicious Activity Monitoring) used to detect and block intrusion

(9)

z LEA (Log Export API) used to retrieve and export VPN-1/FireWall-1 Log data.

z ELA (Event Logging API) used to enable third-party applications to log events into the VPN-1/FireWall-1 SmartCenter.

z UserAuthority used to provide network security information to third-party applications.

z AMON (Application Monitoring API) used to enable third-party applications to

z export their status information to VPN-1/FireWall-1.

z CPMI (Check Point Management Interface) used to provide a secure interface to the Check Point VPN-1/FireWall-1 SmartCenter Server and its omponents.

Among Check Point’s OPSEC, the LEA (Log Export API) Specification enables an OPSEC Partner written application (a LEA Client) to respond to log events generated by an LEA Server (usually a FireWall-1 Management Module) [6].

2.1.3 Cisco Pix501

Like NetScreen, PIX logs are very well documented. Cisco’s PIX is a well known firewall appliance. It is highly scalable, from a small office or home environment to an enterprise environment. PIX is very widely used.

PIX can be configured using either a command line interface or the so-called PIX Device Manager (PDM), a graphical user interface, an HTML configuration application that comes with the PIX, shown in figure 2.4.

(10)

Fig. 2.4 Cisco Pix PDM Interface

Once the PDM opens, click the “Configuration” icon on the top:

(11)

Fig. 2.5 Cisco Pix PDM enable logging Interface

Make sure the “Enable Logging” box is checked as in the screenshot. Then, select “Syslog” in the treeview. This brings you to the page where syslog servers can be configured. Typically, your syslog server will reside on the internal

network. As such, leave the interface at “inside”. Then enter the IP Address of your syslog server into the field “IP Address”. In the screenshot, this has already been done. Next, make sure UDP is selected as protocol. The port value of 514 is the default and also the standard. There should be little need to modify it. If you do, make sure you fully understand the implications as a wrong port can disrupt traffic [7][8][9][10].

(12)

Fig. 2.6 Cisco Pix PDM syslog Interface

After all these steps done, the syslog will be sent to inside syslog server IP 10.11.1.131 through UDP port 514.

(13)

3. Prevention & Notification System Model

_________________________________________________________________________

In our prevention and notification system model, we first collect firewall syslog data, and then users set preferences as thresholds. The system monitors syslog from firewalls and sending alarms or blocking connections depends on preferences as long as thresholds have been reached.

3.1 Monitor

The PNS monitors all kinds of protocol services traffic: Ftp, Telnet, Mail, and Web. Parsed syslog data from syslog servers, PNS categorized these syslog data into six groups: virus log, attack, audit, event, traffic, and vpn. Among these different groups, PNS focuses on monitoring traffic and takes the action for prevention or (and) notification by users’ preference (shown in figure3.1).

Figure 3.1 PNS preference 3.1.1 Preference

There are three major required settings in the Preference you will need to look at:

(14)

Telnet, Mail, and Web separately. One can keep monitoring on specific protocol traffic or more.

Threshold: The threshold is based on the traffic flow used by the protocol. Normally, the MIS team members know the average traffic flow for different protocol used. Once the traffic flow large than average amount in a certain time, PNS will be triggered to take actions.

Timerange: The time range can be set at every given time slot. PNS sensors abnormal amount of traffic volume and perform some actions according to the preference if the volume larger than the threshold, made by users, in any given time slots [11].

3.2 Prevention

In a word, prevention action is to block certain port(s) from inside firewall to outside firewall, for example FTP service uses port 21, when the traffic flow reaches the threshold in a given time range. The reason why PNS just block relative port but the connection is not to affect other functions.

In figure 3.1 preference menu, one can not only set the time range for watching the traffic flow in a period of time, but also designate how long PNS to block the port and wait for administrator to deal with the exception. As soon as the situation has been solved, administrator can unblock the port or wait until the block time is expired.

3.3 Notification

PNS has three options for notification: mail, sound, screen.

Mail: Once the mail option check box has been marked, PNS displays a list of administrators that the warning messages will send to. The warning message shows the relative information include both the source and destination IPs, protocols, port number, time range, block time, and traffic flow.

The mail receivers can be individual administrators or authorized user group(s).

Sound: The monitor PC will sound “beep beep …” for a while depends on the user’s preference and followed by a hyper link to alert administrator. The hyper link leads administrator to a message screen shows same information as mail option does, and also a button to unalarm the PC.

(15)

Screen: PNS pops up a window and displays relative information but no sound.

PNS records what happen every day that users can refer to. The history file describes time, user, and the changes of every preference.

(16)

4. Conclusion

Firewalls are important intrusion detection and forensic tools. So, for those serious about information security, understanding firewall syslog is extremely valuable. Unfortunately, firewall log file supported by the manufacturer just list general events, nevertheless; the consumers need more behaviors to protect their systems. How to utilize these data to and make these logs more profitable is very important topic for potential firewall users.

In our study, we tried to build an early warning system, a smarter and more function model as an auxiliary for firewalls. In future study, we will add SMS (Short Message Service) for notification to provide more real time service. Also monitors more activities to expand PNS’s capabilities.

(17)

5 REFERENCES

___________________________________________________________________________

1. Erbacher, R., Walker, K., & Frincke, D. Intrusion and misuse detection in large-scale systems. IEEE Computer Graphics & Applications (2002), 1, 38-48. 2. NetScreen Concepts & Examples

3. Juniper Networks NetScreen CLI Reference Guide

4. NetScreen Message Log Reference Guide

5. Check Point™ VPN-1/FireWall-1 OPSEC API Specification

6. Check Point™ FireWall-1 LEA (Log Export API) Specification

7. CISCO PIX FIREWALL SOFTWARE

8. Cisco PIX Firewall System Log Messages

9. Cisco PIX Firewall Command Reference

10. Using PIX Firewall Commands

11. An Intelligent Architecture for Traffic Controls in ATM Network.

High-Performance Computing on the Information Superhighway, HPC-Asia '97 04 28 - 05 02, 1997

12. Models of Information Security Trend Analysis Tim Shimeall, Ph.D., Phil Williams, Ph.D. CERTÒ Analysis Center, Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA

References

Download now ( PDF - 17 Page - 601.77 KB )

Related documents

What Really Happened at Three Mile Island. Karen Charman

1 Author interview with Three Mile Island area resident, Mary Osborne, at her home in Harrisburg on February 21, 1999; author interview with Three Mile Island area resident, Jane

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

A prerequisite for the communication between the CUA and the LDAP enabled directory server is to open the LDAP(s) port in the firewall environment, if a firewall is used..

Some new results on Lipschitz regularization for parabolic equations

conclude that the Lipschitz constant of solutions for super-quadratic Hamiltonians does not depend on the initial datum after a certain time.. (Actually, the bound depends on

Matthew Rossmiller 11/25/03

# allow web and ftp traffic to the firewall iptables -A INPUT -i $INET_IF -p tcp \ --destination-port ftp -j ACCEPT iptables -A INPUT -i $INET_IF -p tcp \ --destination-port

How to Secure RHEL 6.2 Part 2

# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended.. Change the TCP port to

ICAS Science Practice Questions Paper C

crac-ed bed roc-roc- eected bythe meteor/s impactmelted roc-bro-en pieces of older crac-ed bed roc-roc- eected bythe meteor/s impactmelted roc-bro-en pieces of older

Deep Security 9.6 SP1 Supported Features by Platform

Firewall Intrusion Prevention System Intrusion Prevention System Integrity Monitoring Integrity Monitoring Log Log Inspection Inspection Recommendation Recommendation Scan Scan

ACE Management Server Deployment Guide VMware ACE 2.0

NETBIOS (port 137) DNS KRB5 (port 88) LDAP (port 389) HTTPS traffic (443) HTTPS traffic (443) external firewall AMS server internal firewall.. All