Firewall log wizard of the system administrator

Windows networks are always targets of hackers and other Destructors. However, once the Administrator periodically understands the network status information through the firewall logs, it is very difficult for the hacker to succeed.

View firewall logs once a week or every month to learn about security vulnerabilities, browser speed, and network performance, ensuring network security. These logs reflect the records of attackers constantly attacking the network and show the internal systems affected by malware, it also helps you identify wrong configurations or damaged systems in companies that have business dealings with you.

The information obtained from the firewall is related to the software activity or the type of the device monitor. When selecting a firewall, consider the type that can monitor inbound, outbound connections, and intrusion attempts. Configure the firewall log file size for several hours. Note that its size must be able to store useful data for several weeks. logs with tracing information for only two days cannot provide enough data to cope with possible security problems.

Pay attention to constantly attacked intruders

Recent research shows that new connected systems are most vulnerable to attacks within the first 10 minutes of connection. Your Firewall is no exception. Port scanning is performed on average for all registered addresses every 20 minutes. At this time, you will find that there are always attempts to connect a port or a group of ports. Most firewalls

By default, port scanning is blocked. After a potential Intruder scans 10 or more ports in sequence, Some firewalls can lock a specific address within a period of time.

Port Scanning from different addresses is not the cause of the alarm. However, if you find that the same address has attempted to scan the port in sequence in weeks or months, you may need to verify the source address through the packet listener to make sure it is not a spoofing behavior, investigate the employees, contractors, or persons having business dealings with the address.

Despite trying to block malware in internal systems, Trojans, worms, and spyware are sometimes not downloaded to the desktop. Some desktop malware will use some packages to attack the firewall. I remember a recent combination of HTTP in port 80 and Echo in port 7) when you find that the connection between the system and the firewall in the Intranet is inappropriate, you need to check the computer status immediately, check whether malware is installed and take immediate measures to fix it.

Misconfiguration of partner cooperation systems will only waste space

Due to business dealings, many companies require a third party to communicate with servers or clients. One of my clients has an independent contractor who handles public relations through external agents. After the contractor installed the agent's software, the firewall was damaged by a non-party verification request from the proxy server-an average of 15 to 20 attempts to connect every 20 minutes. There are at least two interpretations of this behavior: the server configuration is incorrect or damaged. In either case, you need to solve this problem, because the log file's space and bandwidth will be occupied by the blocking attempt records, and these spaces and bandwidth should preferably be used in legal business activities.

Reject server attacks

The firewall records hundreds or thousands of blocked connections every day. Except for the port you specified, if the firewall blocks all input information, these attempts to attack your network are annoying, but they are relatively harmless. During a period of time, malicious users attempt to connect to a registered address every one hundred milliseconds. This generates a well-known "lite" version that rejects Server DoS attacks. This type of attack will intermittently slow down network access, especially the connections around the capacity. The blocking record can identify whether you are or were a "lite" or DoS attack object.

Some websites on the network can monitor threats on the network in real time. A recognized authoritative website is the Internet storm center of isc.sans.org. The web page shows a Global Network Data Map, which is based on the analysis of global firewall logs-The database includes 36 million records per day and 0.24 billion records per month.

If you want to compare your network data with the real-time status of the local network, click your country on the ISC map to display the relevant statistics. Color maps are available on the home page www.dshield.org to show global attack-related engines.

If you regularly view the firewall logs, you can find the problems mentioned above, or other exceptions that interfere with network operations or performance.

In addition to being vigilant against network threats, you can also use the data in firewall logs to successfully persuade your boss to increase the security budget.

Related Articles]

• MySQL Database Administrator FAQs

• Network Administrator experience: How to familiarize yourself with the network

• A good helper for network administrators