Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - Summary of recommendations
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report. As a demo, you may send us one of your logs, and we will analyze it with FireGen and send you back the report along with a short analysis from our consultants.

This page represents a summary of recommendations discussed in our "Firewall Log Analysis Diary".
 

Date	Recommendation	Reason
March 8, 2004	If your servers are running antivirus software, keep an eye on the FTP Downloads section to make sure that the server does connect to the antivirus updates sites	It proves that your server updates its virus pattern files regularly.
March 9, March 23, 2004	Monitor the outgoing connection for your email server	A large number of connection to a single host may indicate a delivery problem to that domain or a denial of service attack.
March 12, March 26, 2004	Modify the FireGen DNS Cache file to map friendly names to hosts and networks for most popular sites	It provides a better view of the traffic through consolidation of sites that span over several web sites (or configured in clusters).
March 19, 2004	Monitor the "popular" NetBIOS (UDP/137, UDP/139 and TCP/445), MS RPC (TCP/135) protocols used by common Internet worms	Keep an eye on the exposure of your Internet connection to such threats
March 19, 2004	Monitor the "popular" NetBIOS (UDP/137, UDP/139 and TCP/445), MS RPC (TCP/135) protocols used by common Internet worms	Keep an eye on the exposure of your Internet connection to such threats
March 20, 2004	The Pix firewall does not log all the traffic statistics.	Do not rely entirely on the Pix firewall logs to obtain traffic-related statistics
March 22, March 29,  2004	Put the IP address of suspected spammers in the Monitor IP Addresses list.	Future connections will be tagged and you can decide to block them through an access-control list.
March 25, 2004	Investigate internal hosts that generate a large number of connections	In most cases, the internal user is doing something against the security policies and may affect other systems.
April 2, 2004	Choose your public host names wisely	The names may reveal information about the system that may help potential intruders.
April 5, 2004	Contact your ISP if you notice many denied connection from within the "neighborhood"	The ISP may have policies that would increase the security and decrease the load on your Internet connection by shutting down infected customers.
April 13 2004	Keep an eye on the "Message types distribution" section	The number of distinct message types should vary slightly from day to day. A sudden variation in this number may indicate unusual activity in the firewall.
April 14, 2004	Pay attention to denied connections from internal hosts	Denied connections from internal hosts may indicate problems with the "important" servers such as domain controllers.
April 21, 2004	Exclude messages containing the "6-106015" Pix code	Most of these types of message are caused by Internet latency and they are cluttering the reports obscuring more useful statistics.
April 27, 2004	Consider implementing a web proxy server	Pix does not log the names of the sites. If the business require a better control or monitoring of the web browsing a proxy server may provide a better functionality.
April 28, 2004	Develop a good "report reading" methodology	It is easy to get "lost" in large reports.
April 29, 2004	Get more from your reports by excluding keywords like  .gif,.js,adlet,.jpg,ticker,servlet,.css.	By excluding such keywords, one can get a better view of the most popular web pages visited by the internal or external users.
May 1, 2004	Identify VPN users vs. site-to-site VPNs by using the "Monitored IPs" list	Tagging the remote peer IP address of a site-site VPN marks the connection in the report
May 3, 2004	Identify specific activities performed by internal users by choosing the proper filtering keywords	Managers may require statistics about certain type of traffic, not always identified by a distinct protocol (i.e. FrontPage users).
June 30, 2004	Determine if most of the worms-related traffic comes from computers using the same ISP	You may prove to your ISP that part of the bandwidth that you are paying for is consumed by traffic from infected computers. The ISP should have policies in place to prevent such hosts from using your bandwidth.

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter