Event log management and response might be one of the most neglected areas of security management. Many security managers rely on users or security bulletins from operating system and application vendors to decide when it's time to take action on a possible security compromise. By the time these announcements have hit the Internet, it's usually too late for administrators to react. Assets have already taken a hit, and damage has already been done. NOTE This fact, by the way, is the number one reason you should have CSA installed on all your systems. Customers who had CSA deployed during all the largest attacks, including Code Red, Nimda, Sasser, and Slammer, suffered no downtime at all. The problem to be solved in this section is how to become proactive in searching out logs to recognize early signs that your network might be the target of an attack or that an attack might be in progress. ASA/PIX Security Appliance messages aren't going to be your best source to determine whether your network assets are under attack. CSA logs are the best source for that. It's recommended that, along with CSA, you get a software package called Event Monitor. Event Monitor consolidates all your CSA alarms in a hierarchal interface, much like a spreadsheet. All like events are sorted together, and you can expand the event to a detailed level. By using this tool, you can recognize whether a new attack is underway because you will likely see groupings of the same error messages with different destination IP addresses. In most cases, these events give you enough information to understand whether you can do anything to help stop the attack at the perimeter. With new features in CSA 4.5, if the CSA Management Center senses multiple "like" messages, it assumes a worm or mutating virus is in the network and generates a rule to quarantine the infected hosts. Remember, defense in depth is all about layers of defense. Here is a simple example of how you could have manually used the CSA logging information to increase your layers of defense when Slammer hit. CSA protected the hosts and servers by recognizing that a buffer overflow took place in the SQL process and that malicious code was attempting to run from the overflowed buffer. Because SQL uses UDP port 1433, security administrators could have done the following to increase the security posture of their environment:
ASA/PIX Security Appliance syslogs tend to be more focused on functions of the firewall. The security appliance syslog has seven different severities or classes of syslog messages, as follows:
Table A-1 classifies ASA/PIX Security Appliance syslog messages and provides a description for each class.
NOTE You can find all syslog messages and the proper responses in the ASA/PIX Security Appliance technical documentation at http://www.cisco.com/go/pix or http://www.cisco.com/go/asdm. |