Back to Article List
InsideOut Firewall Reporter Unravels the Mysteries of Firewall Logs
By Troy Thompson, MCSE+I, Network+, A+
May 19, 2003
The most important piece of hardware that protects your network from intruders, hackers, and outside traffic is your firewall. Firewalls process an enormous amount of data, that when converted to useful information, can tell you many things about the packets traveling in and out of your network. Recently we took a look at InsideOut Firewall Reporter (IFR), created by Stonylake Solutions to find out how it interprets data and information produced by a leading firewall. We conducted our lab tests using Windows 2000 and a Cisco PIX firewall.
Company Background Information
Stonylake Solutions is a global provider of state-of-the-art firewall reporting software with headquarters in Maryland, USA and offices in Toronto, Canada. Established in 2000, Stonylake Solutions develops powerful software that provides real time analysis and reporting for firewalls. Its customer base includes federal and state organizations, educational and financial institutions, and high tech companies.
Table 1: Corporate Information
The Problems with Firewalls
Each day there are more reports about network breaches and stories of how hackers have infiltrated or brought down a network. As a result, network security is one of the fastest growing sectors of the Information Technology market. As a network administrator, it is important to have at your disposal, tools to help you proactively manage your network. Information about network problems can come from many sources. Operating systems, such as Windows NT/2000, have some built-in tools that can provide you with helpful information. There are third party add-ons as well that can help diagnose network problems. The key to being successful is having tools that allow you to notice trends and immediate threats. Trend analysis can spot potential problems in advance and real time reporting can help you react quickly to an immediate threat. A firewall, like most other network devices, produces extraordinary amounts or information. So much, in fact, it would be impossible to review it all without network tools. Most of the data that a firewall processes is not of great importance, though. What you need is a way to separate the typical data from the data that can tell you about vulnerabilities or abnormalities in your network. InsideOut Firewall Reporter is a network tool that can present information to you real time in a variety of formats to help you interpret the data and react in an appropriate manner.
InsideOut Firewall Reporter is a Java-based server application that runs on Windows and Linux platforms. You can view a live demo of IFR at http://livedemo.stonylakesolutions.com by clicking on Test Drive InsideOut from the Stonylake web site. This live demo allows you to navigate through four different firewalls and generate reports. It lets you get use to the look and feel of the product before installing it. You can download and install a demo version InsideOut Firewall Reporter at www.stonylakesolutions.com. The demo version has full functionality, but is only active for 30 days and only keeps the data for 48 hours. The complete download for Windows is over 100MB, which includes not only IFR but other programs that must be installed as well. The IFR portion of the download is only 3.5MB. Once you have downloaded the product, you can extract the files using WinZip and then proceed to install it. The program and all applications can be installed on a single server. If you purchase the Professional or Enterprise Editions, the program can be distributed among three servers. The system requirements for installing IFR on a single application-database server configuration are a P-II 450 MHz processor, 128 MB RAM and 5.0 GB free hard drive space running Windows 98/2000 or Linux Operating Systems. For the Enterprise Edition, you will need the following:
The Reporting server - Requires a P-II 450 MHz processor, 128 MB RAM and 90 MB free hard drive space.Before you install the program, you should print and read the IFR help PDF file. The information contained in the PDF will cover all the prerequisites you need to setup the software. There are a some steps involved in setting up IFR that require you to do more than just click the Next button or choose an installation folder. For instance, you are required to setup an environment variable that allows certain batch files to find default paths. You may have to modify your Internet Explorer to make sure it is using Microsoft VM Java. The help PDF also informs you of the default password that you will need to administer the program after installation.
The IFR application consists of four different components: InsideOut Reporting Engine (IRE), InsideOut Logging Engine (ILE), InsideOut Control Center (ICC) and the InsideOut Database. The extracted download will consist of three setup programs, of which the first to install is Java Developer Kit 1.4 (JDK1.4).
The second program to install is Tomcat 4.x, which will load the Tomcat servlet engine. Tomcat is the servlet container used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat has been developed in an open environment and released under the Apache Software License. It is intended to be a collaboration of the best-of-breed developers from around the world. The third program to install is IFR itself. If you attempt to install IFR first, the on-screen instructions will instruct you that you need to have already installed Java and Tomcat. During the installation of IFR, you must supply the installation path of the Tomcat program. Once the core programs are installed, you have to restart Tomcat, open the ICC using the URL http://server-ip:8080/insideout/admin.html and configure InsideOut.
There are many configuration variables that you must supply during the configuration, such as the type of firewall, IP configuration information, database type, etc. Supplying correct information during the initial configuration can save you time later from having to reinstall or reconfigure. After launching the configuration URL, http://server-ip:8080/insideout/admin.html, you will have to choose the correct edition. The three editions to choose from are Standard, Professional and Enterprise. For the purpose of our tests, the Professional edition was evaluated. If you choose the wrong edition and need to change it, you will have to reinstall the entire program. You must also configure the database, licensing information, and define the ILE. The firewall brands that IFR supports are Check Point Firewall-1, Cisco PIX, NetScreen, StoneGate and Borderware. More detailed instructions regarding configuration can be found in the IFR help PDF.
How IFR Works
Your firewall must be configured to send its logs (via syslog) to IFR, where the data is processed and displayed in real time. The log files are consolidated and stored in a database to allow for report queries. To give you an idea of the enormity of quantity of logs, one user of the enterprise class customers logs 4-5 million records in a day from a Nokia IP 540. Another trial customer has reported logging 12 million records from a PIX 520. All numbers are consolidated database records. In case of the PIX, it produces 3 raw messages for every successful connection and 2 for blocked. To configure a Cisco PIX, you must have rights to access privileged mode. An example of the commands necessary to configure a PIX is listed below.
CiscoPIX(config)#logging host inside 10.2.12.17As the Cisco PIX receives traffic, it forwards it to IFR, which organizes it into useful information. InsideOut Firewall Reporter can optionally resolve IP addresses that are found in the log messages to host names by querying the DNS, WINS or the Host machine. This helps to overcome the problem of identifying hosts that are assigned DHCP addresses. A Maintenance procedure runs once every 24 hours, which prunes, re-indexes and compacts the database tables. Error conditions encountered during the maintenance procedure are reported to the Administrator by email.
The Cool Reports
The best feature that IFR has is its reporting capability. IFR's browser-based interface provides more than 150 standard reports in 13 major categories. Once you have completed the initial configuration, your server starts receiving information immediately from the firewall that can be turned into useful reports. IFR's automated reports be generated on schedule as a server task and then delivered by e-mail. The report screen is made up of a tabbed report area and a Report Settings panel that is used to set report selection criteria. As can be seen in Figure 1, IFR organizes data into an easy to read graph.
Click for Figure 1: Traffic Allowed Through the Firewall
Under the Report Settings heading, you can see the filters that have been applied to the report. The screen shows that the data is coming from a PIX firewall,from all users, from all subnets and for all Services. Each of these report features is customizable on the fly without having to perform configuration changes. The middle of the screen is the where the data is graphically represented. The tabs at the top allow you to view data in many different formats. On the right of the screen, you can decide whether to receive a report summary, view allowed traffic or view blocked traffic details. A sample of summary activity can be seen in Figure 2.
Click for Figure 2: Activity Summary
With a simple click of a mouse you can view allowed traffic by Users, Destinations, Connections, Bandwidth, Overall and Subnets. To view blocked traffic, you simply click on the blocked tab to the right of the screen.
Click for Figure 3: Traffic Blocked by the Firewall
Once again, you can view blocked traffic by Sources, Destinations, Attempts, Overall and Subnets with a click of the mouse. A sample of the Overall report can be seen in Figure 4.
Click for Figure 4: Overall Traffic Allowed
The browser interface gives you the convenience of accessing reports from anywhere, at any time, with just a single server installation. The best thing about the reports and the thing that helps set IFR apart from many competitors is that the data is in real time. You have the option of view historical information by clicking on the arrow to each side of the date in the middle window. There are no restrictions to the number of users who can simultaneously view the reports, which can be printed and exported to applications such as Microsoft Excel.
There are many different products on the market that can also interpret firewall data. From the Internet, you can find many Syslog servers. Some of these are expensive, complex and offer many features, such as Cisco Works. Others simply provide raw data, which you have to assemble into information.
Click for Figure 5: Cisco Works
Figure 6 shows an example of a syslog server that captures raw data, which, in turn, you must decipher. It can be downloaded for free at http://www.ncat.co.uk/Download/. The obvious problem here is that you have to sort through hundreds or thousands of lines of traffic. Even if you have a program to parse the data, you still will not have it in an easy to read graphical format.
Click for Figure 6: Syslog Server
You can even use a default feature in a Cisco PIX to capture information. From configuration mode, type:
CisscoPIX(config)#logging monitor informationThe output from this statement is shown below. It is not represented graphically and forces you to weed through the data to find useful information.
Click for Figure 7: PIX Firewall Logging Sample
The strength of IFR is that it uses a browser to graphically represent real time or historical information. At a glance you can identify problems with your network. The ability to retrieve real time information quickly and easily using the reports feature is probably the biggest advantage of this product. Once it is setup, it requires little effort to extract valuable information.
The installation process for IFR can be somewhat of a challenge. Getting all of the programs installed, configuring variables, firewalls and the software itself takes a little time. It would be nice if the program could check to see if the correct version of Java and Tomcat were already installed, and if not, install them automatically. Some time could also be taken off of the configuration process if the environment variables were automatically set. Although IFR supports most common databases such as SQL Server 2000, Postgre SQL 7.2.1 and MSDE 2000, one obvious omission is support for Oracle.
Currently IFR supports a limited number of firewall vendors. We are eager to see support for more products which we are told will be coming in future editions. Other changes that are coming are the ability to see who changed a firewall policy, when the rule was changed and which rules get used most often. These are features that will help broaden the appeal of this product. In its current release, IFR is a strong product that helps validate your firewall and perform audits of your system.
As an administrator, you should be keenly aware of the risks your network faces from inside and outside threats. You can only do your job as good as the tools you have at your disposal. If you want to quickly and easily see the types of data that come into your firewall, IFR is a great product for the price. This product is meant for small to large businesses and not for the average home user with DSL. The size of your business will determine the product you need to purchase. Small companies with less than 50 employees and a single firewall should consider the Standard version. This version is designed to run on Windows only. You are restricted to using the MSDE database that comes with the product and can only store 2GB of data, but at a price of only $250, it is a bargain.
The Professional version of IFR is intended for small to medium sized businesses that have a single firewall. You can distribute the installation over three servers with each server handling a different component. This version supports additional database formats including MSDE, MS SQL Server and PostgreSQL databases. It can be loaded on Windows or Linux operating systems. It has scheduled reports and pre-configured reports as opposed to only having reports in a browser. The Professional version comes in at a price of $995, but is still a good deal considering all the features it has.
The Enterprise version includes all of the features of the Professional version as well as support for multiple firewalls. It has a scalable architecture that allows you to start out with a small system and then add other machines as needed. It is intended for large businesses that need to be able to manage multiple firewalls from a central location. It also includes pre-configured and scheduled reports, and built-in maintenance processes to ensure optimum system performance. Using the Enterprise Edition, you can move from an Enterprise-wide view down to a specific firewall and even down to a view of a specific user with a few simple mouse clicks. It is possible for an administrator in New York to quickly monitor a situation developing in Houston, Hong Kong or Paris. The Enterprise Edition supports MS SQL Server, and PostgreSQL databases, and can run in mixed Windows and Linux environments. The Enterprise edition of IFR costs $1295 per firewall.
Clearly, using IFR helps you more easily understand the information your firewall is producing. By understanding firewall logs better, firewall administrators are better equipped to make decisions and protect the infrastructure for which they are responsible.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: email@example.com | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759