Home News Projects Photos Links Games Contact

Provided by

Park Wiker CCNP/CCDA

AVAR

pwiker@wiker.net

Contents:

Security - Logging

Security

Today I would like to review what things you should be thinking about when it comes to security and your computer systems.

When it comes to computer systems, we need to acquire and sort information from our equipment to determine whether or not action needs to be taken. In this article, I will talk about logging in reference to your Security Policy. However, the value of logging in the disaster recovery/avoidance plan should not be underestimated. Maintaining service levels and ensuring the privacy of information is where log filtering will help you.

Logging in the computer/network world is where a device sends or records (in some way) information relating to activities on the particular device. What follows is an example of what you may see in a log of events on a router (the addresses have been changed to protect the innocent):

2002-03-28 20:33:24     Local5.Error    172.000.000.000 120717: 13w5d: %FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator (216.000.000.000:3755)
2002-03-28 20:47:27     Local5.Info     172.000.000.000 120718: 13w5d: %SEC-6-IPACCESSLOGP: list 121 denied tcp 209.000.000.000(4071) (Serial1/0 c000.000.000) -> 209.000.000.000(80), 1 packet
2002-03-28 22:09:52     Local5.Info     172.000.000.000 120721: 13w5d: %SEC-6-IPACCESSLOGP: list 121 denied tcp 63.000.000.000(42033) (Serial1/0 c000.000.000) -> 209.000.000.000(113), 1 packet
2002-03-28 22:16:22     Local5.Error    172.000.000.000 120722: 13w5d: %FW-3-FTP_NON_MATCHING_IP_ADDR: Non-matching address 192.000.000.000 used in PORT command  -- FTP client 64.000.000.000  FTP server 209.000.000.000

These entries can tell you about various activities that the router is performing for you. In this case, you will see that there are four entries listed. Using the first entry, let's review what is contained in this entry. First, you have the date and time that the logging facility recorded the message. Next we have an item called the "facility" and "severity". The facility information is configured manually to assist networking personnel to route messages to certain containers in order to keep related messages together. The severity is generally pre-set in the device to assist in ranking messages. There are eight different severities. They are all listed in the RFC if you really need to know the nitty gritty on the protocol. However, you will next see the address of the machine that submitted the message. Next, you will find the actual message. In this case, the Cisco device has transmitted a sequence number, a time stamp, a code and a message.

We log these events for a number of reasons. First, we want to know if there is some sort of configuration problem that we (the system administrator) need to address. Second, we want to know who or what is going wrong. In the example above, we see that someone from 216.000.000.000 sent an invalid command to our mail server. While one of these entries is nothing to be concerned about, 50 of them in a short time would be a point of concern. This could indicate an attack against our firewall or an attempted breach of our mail server.

As you can see, sorting through logs manually can be a daunting task at best. These logs many times will contain hundreds of entries per hour. In addition to syslog entries, we have snmp traps as well as Windows event log data. Only the smallest of networks can peruse these logs manually. You will likely need a tool to assist with sorting them for you. That is where tools such as Kiwi Syslog or LogCaster become effective. Kiwi Syslog comes from the unix world and has tools to integrate Windows Event logs, whereas LogCaster starts with the Windows Event log and integrates syslog functionality. How to best utilize these tools in your enterprise, or which tools to use is a very personal decision. The first step is to determine what your security and disaster recovery/avoidance goals are. Once this has been determined, you can best choose a product to fulfill these needs.

In conclusion, logging of system events is an extremely important step in understanding what is happening on our computer network.

Back Home Next