What is Firewall Forensics?

Dear Readers, in this edition I am trying to throw some light on Firewall Forensics and please
try to implement few important things that has been given in this article and I am sure that it
will help you all in your relative fields where, You will need to conduct a forensics analysis
using your firewall logs at some point. The underlying objective of a forensic analysis is trying
to determine what happened and to establish facts that can be used in court. If you have never
reviewed the firewall logs previously, this can be a costly and almost insurmountable process
because you do not necessarily have any idea what may or may not be a normal event for the
firewall.

Performing a forensic analysis is generally an extremely time-consuming and expensive process
because in many cases it is much like trying to find a needle in the haystack. You may know
what was done, but you do not know necessarily when or how it was done, which can make it
tricky indeed to be successful. This is compounded by the fact that you need to gather evidence
from the earliest moment possible to establish exactly what transpired.

Because of the potentially sensitive nature of forensic analysis, it is a good idea to use tools that
can assist in performing the forensics analysis or to bring in experts who have special training
in exactly what should and should not be done. This is where tools like NetIQ Security Manager
and Cisco CS-MARS come in particularly handy, because they include built-in correlation,
query, and reporting functionality that is particularly suited to this kind of situation. For example,
this figure illustrates a forensic analysis report from NetIQ Security Manager.

Figure 3.1 NetIQ Security Manager Forensic Analysis Report

On the surface, the firewall denying traffic is not necessarily something to be concerned about.
However, by looking at the data (for example the data in Figure 3.1 with a bit more of a critical
eye, the traffic is all originating from the same source (10.1.1.200) to the same destination
(10.1.1.2) on a whole slew of different port numbers.

This is a classic example of a reconnaissance attack; the attacker is running a port scan in an
attempt to determine which ports are open and thereby gain information about the kinds of
applications that may be running on those ports. For example, if TCP port 80 is open, it is safe
bet that a web server is running on that port, and attackers can begin customizing their attack to
determine with certainty that yes indeed a web server is running. This information can then be
used to determine the methods of attack that may be successful against the targeted host.