logo

Firewall Log Management and SIEMs

Firewalls are the first line of defense in any network. Firewalls can be software or appliances, and organizations can configure them up to allow or disallow some or all IP traffic, or to verify specific traffic types based on rules that use deep packet inspection. For maximum effectiveness, it’s critical to monitor the operation of your firewalls to spot threats and misconfiguration.

What are firewall logs and how they can help?

A firewall log is a ledger of data about traffic and system events in a firewall. This file typically includes a wealth of important information, such as:

  • Source and destination IP addresses, port numbers, protocols, and traffic statistics
  • Successful connections to the network 
  • Failed network connection attempts
  • Modifications of firewall settings and rules
  • Operational events, such as system reboots and disk shortages

The process of firewall log monitoring and analysis can help you to:

  • Pinpoint configuration and hardware issues.
  • Single out malicious traffic.
  • Identify conflicting and obsolete firewall rules. By minimizing the number of rules, you reduce management overhead and the associated risk of human error.

What makes firewall log management a challenge? 

Proper firewall log management can be taxing for two key reasons:

  • Firewall logs are very noisy. The sheer volume of records makes it difficult to spot suspicious activity.
  • Firewalls aren’t equipped with change management capabilities. Accordingly, you’ll need to find a way to track critical modifications such as firewall rule changes.

To overcome these challenges, organizations need a firewall log analysis tool.

How can a SIEM help with firewall log monitoring?

A security information and event management (SIEM) system can help organizations get more value from their firewall logs. A SIEM gathers information from multiple sources, including not just firewall logs but applications such as intrusion detection systems (IDS) and intrusion prevention systems (IPS). Then it uses techniques like event correlation and signature-based detection to identify suspicious activity, and issues alerts so you can take prompt action.

The primary firewall use cases for SIEM include:

  • Threat detection: Analyzing firewall log data using a SIEM can help you spot cyberattacks, including:
    • Spoofing: Malefactors pretend to be someone they are not by using another IP address, DNS server or address resolution protocol (ARP).
    • Denial of service (DoS) or distributed denial of service (DDoS) attacks: Attackers flood the target network with requests in order to make it inaccessible for its intended users. These attacks often target DNS and web servers.
    • Sniffing: Attackers intercept, monitor and capture of sensitive data flowing between a server and a client using packet sniffer software.
    • Eavesdropping: Threat actors listen to data flowing between networks to get private data. Eavesdropping is similar to sniffing attacks, but it is usually passive and may not involve full data packets.
  • Protection of critical data: Firewalls can protect against abnormal database connection attempts, and SIEM analysis of connection attempts can help you understand attacks and further strengthen your defenses. 
  • Incident response: Firewall data can help your SIEM see which hosts communicated with an infected or malicious host, so you can stop the spread of malware to limit the damage.
  • Compliance: Analysis of firewall data can help you detect unexpected firewall configuration changes that could allow unauthorized access to data regulated by standards such as PCI DSS, HIPAA, SOX and GLBA
  • Risk and vulnerability management: Analysis of firewall data can help you discover assets that communicate via vulnerable ports. 

What are the best practices for firewall log monitoring?

Here are key best practices for effective firewall log management and monitoring:

Use a standard logging framework.

Implementing logging standards that ensure all of your logs are consistent will make it easier for you to aggregate and analyze logs. Be sure to determine:

  • Which events to log and the settings for each one
  • How you will aggregate, store and analyze data
  • The maximum storage size, rotation method and other attributes of the firewall log 

Create a configuration change management plan.

Firewall settings aren’t static. You need to review and update them regularly as your requirements change to avoid gaps in your security posture. Your change management plan should include:

  • Your change management workflow
  • A record of each change and its purpose
  • The risks involved and their potential effects on the network
  • Mitigation plan in case something goes wrong

Do organizations that have a SIEM also need log monitoring and analysis tools?

While SIEM solutions can spot and report on threats, they are not designed to identify vulnerabilities, and they often generate a high volume of false alarm messages. Accordingly, it’s vital to supplement your SIEM with solutions that address these limitations.

The following Netwrix solutions can help:

FAQ

What is a SIEM?

Security information and event management (SIEM) software combines, correlates and analyzes data from multiple sources in order to spot and alert on malicious activity.

What are SIEMs used for?

SIEM solutions are used for real-time threat detection.

What are the limitations of SIEMs?

While SIEMs can help detect even complex attacks, they often generate a high volume of false alerts that can overwhelm response teams. In addition, SIEMs are not designed to identify vulnerabilities in an organization’s security posture that could be mitigated to proactively block attacks.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.