Networking / Beginners

Firewall incident handling

Incident reporting is the process whereby certain anomalies are reported or logged on the firewall. A policy is required to determine what type of report to log and what to do with the generated log report. This should be consistent with incident-handling policies discussed earlier in this tutorial. The following policies are appropriate to all risky environments:

  • The firewall should be configured to log all reports daily, weekly, and monthly so that the network activity can be analyzed when needed.
  • Firewall logs should be examined on a weekly basis to determine whether attacks have been detected.
  • The firewall administrator should be notified at any time of any security alarm by e-mail, pager, or other means so that he or she may immediately respond to such alarm.
  • The firewall should reject any kind of probing or scanning tool that is directed to it so that information being protected is not leaked out by the firewall. In a similar fashion, the firewall should block all software types that are known to present security threats to a network (such as ActiveX, Java, etc.) to better tighten the security of the network.

Restoration of services

Once an incident has been detected, the firewall may need to be brought down and reconfigured. If it is necessary to bring down the firewall, Internet service should be disabled or a secondary firewall should be made operational; internal systems should not be connected to the Internet without a firewall. After being reconfigured, the firewall must be brought back into an operational and reliable state. Policies for restoring the firewall to a working state when a break-in occurs are needed.

Tip In case of a firewall break-in, the firewall administrators are responsible for reconfiguring the firewall to address any vulnerabilities that were exploited. The firewall should be restored to the state in which it was before the break-in, so the network is not left wide open. While the restoration is going on, the backup firewall should be deployed.

[Previous] [Contents] [Next]