Firewalls are an integral part of a network's safety and security, which is why they are often considered as the pillar of any cyber security program. Firewalls face a barrage of attacks from different sources ranging from automated programs to experienced hackers. Though the firewall is constantly blocking unauthorized attack from unknown sources, it is nevertheless important for network managers to stay on top of their firewall performance. Such network vigilance helps them to identify and mitigate the effects of potential malicious attacks.
Logs Have All the Information
The first place to look in the case of an attack is the log file. A log file is a text file that records every event taking place in the network. Every login and activity performed on the network is recorded in the log files; therefore, look for the source of the problem in these records to gain more insight into the nature of the attack. The specific location of the log file varies from firewall to firewall, so review your firewall's documentation for details.
Hackers use port scanners to identify open ports on the firewall through which the network can be attacked. In the case of potential malicious attacks, you should scan the log files for requests that came from the same IP to different ports. The firewall system is designed to block more than one request from the same IP and information about these requests will be available in the log files. This data will give you more insight on the source of the attack and more importantly, you can block this IP from accessing any part of your network in the future.
Understand Traffic Patterns
To identify whether a network is compromised or not, you should know the traffic patterns. Understanding the regular bandwidth usage and the number of connections or packets transmitted per second gives a good idea about the normal traffic on the network. When the traffic rates are much higher than normal, it is time to examine the network for a possible security breach. To get more information about the nature and source of attack, you can go back to the log files again.
Intrusion Detection Systems
Intrusion detection systems monitor the network and alert you when there is a network breach. This system monitors user and system activity, assesses the integrity of critical information, analyzes traffic patterns, audits the system to identify problems with configurations and its resulting vulnerabilities and provides a statistical analysis of patterns that match previous attacks. This system also creates an alert immediately after it detects an attack. However, intrusion detection systems do not block traffic even if the request is from an unauthorized source.
- Martin Poole/Stockbyte/Getty Images