Firewall Reporting: A Reflection of the Effectiveness of Security Policies

Your firewall is configured to protect your network and seems to be running properly, but how is it behaving and what threats is it facing? Is your firewall adequate to handle the load, or is it being overwhelmed? Is your network being specifically targeted, or are you just seeing normal scanning activity?

To answer these questions, the firewall s logs must be monitored and analyzed in a timely manner. Your firewall should be configured to log anytime it blocks or rejects a connection, for both inbound and outbound network traffic. Three or four years ago, a typical firewall was configured to deny by default inbound traffic and allow by default outbound. Now, however, we have to cope with virus-worm hybrids, malicious e-mail, and malicious Web pages, all of which can cause dangerous outbound traffic. Consequently, a firewall should also deny by default outbound as well. Any firewall policy violation should be logged so it can be analyzed for the threat it might represent. The only exception to the log-it-all rule is benign (attempted) outbound things like broadcasts for NetBIOS connections to the firewall itself (NetBIOS attempts to computers outside your network should be logged, since they indicate a possible misconfiguration or potential compromise of an internal system).