Event monitoring maintains a record of security-related events. Often, the record goes into a log file that is largely ignored unless or until someone takes the time to review it.
Reviewing a weekly event log does provide a security administrator with the advantage of hindsight, and allows them to consider past events in creating future policies. However, the weekly review may be the administrator's first indication of an attack or other serious event, and may come too late to allow a practical response.
Monitoring events in real time provides the advantage of being able to take immediate action, which can prevent possible damage and collect information about the attack that might not be available after the fact. Most modern firewalls and gateways offer some sort of real-time monitoring capability.
Most of these work through "triggers," which launch a specific action in response to an event. Event monitoring provides you with both the means to detect intrusion, and the information you need afterwards.
Eight different types of events can be monitored:
- Access control list threshold violations. This event occurs when the number of times a user is denied access to a service exceeds a predetermined number.
- Attack attempts. This is any type of suspicious occurrence identified by one of the services on the firewall; for example, the presence of a suspicious IP address on an incoming connection.
- Authentication failures for Telnet or FTP proxies. This event occurs when a user attempts to gain authentication to the Telnet or FTP proxy, and enters invalid data (such as an incorrect password).
- Mail messages that are rejected by a mail filter. This event occurs when an SMTP mail message does not pass through a configured mail filter. The mail filter map configuration determines what is done with those failed messages.
- Attempted network probes. This event is when a user attempts to connect to a TCP or UDP port that has no service or an unsupported service associated with it.
- Exceeded network traffic threshold. This event occurs when the number of traffic audit events written by the various proxies going through the firewall exceeds a specified threshold.
- Attempts to circumvent Type Enforcement. A Type Enforcement violation occurs when an unauthorised user or process attempts to perform an illegal operation on a protected file.
- IPSEC errors. This event occurs when the number of IPSEC errors detected exceeds the threshold value.
When the firewall detects one of those events, it makes a response based on policy controls set by the administrator. Again, because some events may be unintentional, the administrator has the option of setting a threshold, which specifies an allowed amount of times for a given event over a given period of time. If that threshold is exceeded, a response is triggered. the firewall's event monitoring allows several different response types, including:
