Question

What is the general value and purpose of enabling logging in firewalls?

Answer 1

While tracking firewall "deny" actions is a good way to identify threats, logging the "allow" actions can give greater insight into malicious traffic that could be both more subtle and more dangerous.

An enterprise typically enforces strict protection on assets that should not be publicly accessible. These often include internal corporate systems and employee workstations. Generally, no direct inbound connection is permitted to these systems. Systems that need to be publicly accessible are hosted in an environment where the firewall protection is typically less secure. Certain services are exposed to the Internet with minimal to no protection, for example, an enterprise's Web servers (HTTP/HTTPS) or mail relays (SMTP). These systems are isolated from the internal systems in an environment called a demilitarized zone (DMZ). Filtering of outbound connections from systems within the enterprise is generally less restrictive -- allowing Web (HTTP/HTTPS) traffic -- or absent altogether.

In such three-tiered environments with strict ingress filtering into the internal systems, relaxed outbound filtering from the internal systems and open services into the DMZ segment, logging becomes critical to ensure the enterprise has visibility into traffic entering and leaving the environment. Things get tricky in high-traffic environments where logging resources are finite. Most firewall technologies that have the capability to support multiple levels of logging help to address this issue by triaging events so the most critical can be addressed first. These levels of logging are typically labeled 0 through 7 (from greatest importance to least: emergency, alert, critical, error, warning, notification, informational and debugging, in that order) with higher levels generating more information in the logs. This article does not explore each of these levels in detail, but attempts to analyze the effectiveness of having a less verbose logging level (warning) that logs only firewall "deny" actions, against the more verbose alternative (informational), which logs both firewall "deny" and "accept" actions. Each of these logging levels records the source address and port, as well as the destination address and port of any given connection.

One of the important determining factors as to the level of logging to be used is the capability of an enterprise to deal with the log information effectively. A verbose logging level might be useful in capturing all connection streams into the environment, but lacking an effective mechanism to analyze the log information could make this option less beneficial if not useless. Typically it is common practice for an enterprise to, at a minimum, enable the logging of "deny" firewall actions. This basically means that traffic that was explicitly denied by the firewall rules was observed. The interesting dilemma is how this information is useful. This information could indicate that a host was being accessed on a port that was disallowed, but the same source is allowed to access other ports. This is typically true for systems hosted in the DMZ or systems that have certain ports open to the Internet with no source restriction.