Administrator's Firewall Log Wizard

Windows networks are always a target for hackers and other attackers. But once the administrator has a regular knowledge of network state information through the firewall log, it is difficult for the attacker to succeed.

Review the firewall log weekly or monthly, to understand security vulnerabilities, browser speed and network performance, to ensure network security. These logs reflect an attacker's ongoing attacks on the network, displaying internal systems affected by malware, and helping you identify systems that have been incorrectly configured or compromised in a company that you have business dealings with.

The information that is obtained from the firewall is related to the type of software activity or device monitor. When choosing a firewall, consider using a type that monitors inbound, outbound connections, and intrusion attempts. When configuring the firewall log file size, be aware that its size saves useful data for a few weeks, and that only two-day logs that track information do not provide sufficient data to address possible security issues.

Watch out for intruders who are constantly attacking

Recent research has shown that new systems connected to the Internet are the easiest to attack in the first 10 minutes of the connection. Your firewall is no exception. On average, all registered addresses are scanned for ports every 20 minutes. At this point you will find that there is always an attempt to connect a port or a set of ports. Most firewalls prevent port scans by default. After a potential intruder scans 10 or more ports sequentially, some firewalls can lock a particular address for a period of time.

Port scans from different addresses are not the cause of the alert. However, if you find that the same address attempts to scan the port in a matter of weeks or months, you may want to verify the source address through the packet listener, make sure it is not deceptive, and investigate the employee, contractor, or business person who registered the address.

Monitor malicious software in the internal system

Despite efforts to block it, Trojans, worms, and spyware are sometimes not downloaded to the desktop system. Some desktop malware will use some packets to impact the firewall. (I remember a recent HTTP in Port 80 and Echo in Port 7) when you find that the connection between the system and the firewall in the intranet is not appropriate, look at the computer immediately, confirm that the malware is installed, and take immediate steps to fix it.

Incorrectly configuring a partner system can only waste space

As a result of business dealings, many companies require servers to communicate with servers or servers to clients through third parties. One of my clients has an independent contractor and the contractor handles public relations through an external agent. After the contractor has installed the agency's software, the firewall is compromised by a non-party authentication request from the proxy server-an average of 15 to 20 attempts to connect every day for 20 minutes. There are at least two explanations for this behavior, the server configuration is wrong, or it is compromised. In either case, the problem needs to be addressed because the record of blocking attempts will undoubtedly take up a certain amount of space and bandwidth for the log file, and these spaces and bandwidths are best used in legitimate business practices.

Deny Server attack

Firewalls record hundreds or thousands of blocked connection information every day. In addition to the port you specify, if the firewall blocks all input information, attempts to hack into your network are annoying, but relatively harmless. During a certain period of time, a malicious user attempts to connect to a registered address every 100 milliseconds. This results in a well-known "lite" version of the denial of server (DoS) attack. This type of attack intermittently slows down the speed of network access, especially the links around the capacity. Blocking records confirms that you are or were a "lite" or a DOS target.

Some websites in the network can monitor the threats in the network in real time. A recognized authoritative website is isc.sans.org's internet Storm Center. The Web page shows a global network of data maps based on an analysis of the global firewall log-a database that includes 36 million daily records and 240 million records per month.

To compare your network data with the real-time state of your local network, click on the ISC map to display statistics on your country. The homepage www.dshield.org also has a color map showing the attack-associated engine across the globe.

If you check the firewall log regularly, you can find some of the above mentioned issues, or other abnormal conditions that interfere with network operation or performance. In addition to staying alert to cyber threats, you can use the data in the firewall log to successfully convince your boss to increase the security budget.