Monday, March 10, 2014

Firewall rule logging

     When firewall is managed by NOC team and you are part of infosec it's really hard to maintain reasonable log level at firewall rules.
    Even If decision of log do not log this rule is part  of the change request process and made by infosec you have a risk of having to much logs, having duplicated logs of the same event form different firewalls or spending more time on each request to avoid problem mentioned.
     In all other cases you definitely end up having too much logs that could even overload and slow down you FW device (for me it happened on opendbsd pf firewall when syslog had consumed all memory ).
  Sure thing, you can optimize fw rules and reduce amount of logs - but  it's thankless time consuming process especially if you have many FW devices.
    Create special fw rules just for the log purpose. They will be at the begin of the rule list and identical on all your FW devices.

Logging rules that:

  • easy to create (based on network topology and security zones )
  • easy to check
  • easy to tune 
  • easy to distribute and install
For PF firewall those rules will look like: 

match log inet proto tcp from to port 80

No comments:

Post a Comment