Every once in a while (if you're lucky, more often if you're not), you come across someone pointing out such a fundamental flaw in reasoning that it makes you smack your head and wonder why you've been doing it for 10 years. It's such an obvious flaw when it's pointed out, but you've done it for so long out of habit that it never occurred to you to question it.
Such an epiphany came to me while reading Richard Bejtlich's new book, The Tao of Network Security Monitoring (awesome book, by the way).
The crime?
For 10 years now, in every single firewall installation I've been involved in, the majority of my logs have been dutifully filled with dropped packets. As Richard deftly points out, in an off-hand comment towards the beginning of his tome (and I am paraphrasing): “I don't know why so many firewall admins only log the traffic they drop. The traffic that is being allowed in is much more dangerous, is it not?“
Of course it is, Richard. I feel like an idiot.
But I'm taking some of you smegheads down with me, dammit.
Every firewall rulebase in every firewall book I have ever owned has had a cleanup rule at the bottom that drops and logs all packets that don't pass one of the rules above it. An advanced Nokia/Checkpoint training session I recently attended had such a cleanup rule in every rulebase we saw during the exercises. The assumption is made that traffic being allowed in must be safe, right? No, dumbasses, the traffic the firewall drops can't hurt you. It's the traffic that gets past the firewall that can give you the digital equivalent of the atomic wedgie, especially if you rely entirely on your perimeter defenses for protection.
So, two weeks ago, the day after I read this brilliant bit of logic and graced the neighbors with a fairly loud “DOH!“, I turned my main firewall at the data center upside down, and started logging most of the traffic that comes in, and largely ignoring the traffic that my firewall was dropping.
And this morning, because of this change in policy, I busted some miscreant trying to brute-force the sa account on one of my DMZ SQL servers (the sa account was disabled, but that's not the point). Snort, for some reason, wasn't catching on (the SQL rules are active, not sure why Snort wasn't seeing this), and if I hadn't switched to logging packets being let in I would have never known this attack was taking place. The only thing that tipped me off was a spike in sql-related connection attempts in my firewall logs, which prompted me to use my NIDS to take a closer look at the packets.
So anyway, Richard, if you are listening: Thanks.