Positive auditing

Forward As I mentioned last  earlier, I have been asked about being apart of the Thwack Ambassador program and my first post went up. I am linking to it now for my readers who follow my blog and may not be aware of the post. This post is covered by my disclaimer.

A Superb discussion has taken place over the last two articles, Virtual Fires and Rule creep here at Thwack. Your contributions have been extremely valuable. The insights into the multi-faceted approach this community takes toward firewall security makes me believe firewalls still have their place. Comments from Byrona, plangois, thamzh85, and chipsch have been great contributions and opened my eyes to different processes.

With so many processes each with their pros and cons how do we ensure we are maintaining the tightest grip on our rule-sets  Auditing. We need to hold ourselves accountable. It is all well and good to write rules for applications and dust the hands but is that all? I am sure you all have come across rule where you have done a double take. What is that doing there? Who put that there? WHY is that there? Auditing isn’t an attack on any one administrator but a way to hold ourselves responsible for the work we do. You should take pride that audits can improve on what you have set up.

In a previous life I worked in a very different environment that I do now. Having a large presence on the internet, we were tasked on maintaining our point(s) of presence and adapting them to the aforementioned threats. Take for example the Conficker worm. It played havoc in 2008 and managed to ground aircraft in Germany and stall council plans in Manchester. After some analysis it was noted that the infect vector was NetBIOS exploitation and then updated via  a HTTP pull from trafficconverter.biz (one of 250 domains that sat under 5 top level domains). This evolved into removable media as the vessel in which the payload resided but at this stage, security authorities knew how to handle it. I still have a few Conficker rules today that are now falling onto our 10 week “monitor then delete” list.

Through auditing and understanding the traffic in our network we were able to identify and adapt. We have been able to see trends in traffic attack paths but more importantly we have been able to improve firewall operations. Administrators have been far more attentive to works to avoid ‘their’ rules appearing in audits. I see it as a good thing as changes and installs are thought about. With the ever evolving internet of everything and more of our lives out there, how do you harness the benefits of auditing?

Extra question: As a network engineer I have Juniper and Cisco security response centers in my daily checks. What other’s do you guys out there use?

Leave a Reply

Your email address will not be published. Required fields are marked *