Next-generation firewalls have adopted functionality that used to be provided by other security controls, such as intrusion prevention systems, thus increasing the range of what they can do.
Because next-generation firewalls handle many security tasks, it’s increasingly important to integrate their logging and alerting capabilities into enterprise detection and response capabilities. What’s more, security managers must configure their next-gen firewalls to intake security information from external sources, such as reputation-based security services. Here are some recommendations for ensuring that security data flows between firewalls and other protective tools and platforms.
Most organizations have centralized log management infrastructures, such as tiers of general log servers and security information and event management servers. These infrastructures are typically used primarily for compliance purposes, but increasingly are also being tapped for incident detection and response capabilities. That’s why it’s critical for next-gen firewalls to provide information to these infrastructures to assist in the detection and halt of malicious activity.
Be selective when it comes to what information is fed into log management systems, though. Transferring all next-gen firewall log entries might be too resource-intensive, depending on the level of detail in the logging and the volume of log entries. But definitely transfer any log entries deemed suspicious, such as IPS alerts and those indicating blocked traffic (for example, attempts to establish connections that violate the organization’s firewall policy).
Keep in mind, though, that transferring log entries for false positives (alerts that erroneously indicate malicious behavior where none exists) can actually do more harm than good by causing undue concern and distracting attention away from where it should be focused.
Incident tracking systems, which are used by incident response teams to help manage their workloads, don’t immediately come to mind when one thinks about firewall integration. But these systems and firewalls can interact in some interesting ways.
For example, an incident tracking system could query a firewall to access log entries related to an incident, such as all connections made by an attacker’s computer, which could indicate which internal hosts were attacked or compromised; and all related IPS alerts, which could show the nature of the attack traffic.
Another way to use incident tracking systems and firewalls together is to allow the incident tracking system to generate new firewall rules to assist in incident investigation. Suppose that the incident response team is investigating a potential incident, yet doesn’t have enough information to determine what has happened or is happening. It may aid the team to have more data on activity involving a particular host — perhaps an external host thought to be malicious, or an internal host thought to be the target of an attack. The incident tracking system could cause new firewall rules to be dynamically put into place that carefully monitor the host’s activity and perhaps treat it differently; for instance, by blocking anything suspicious and alerting administrators instead of simply logging it.
Next-gen firewalls can often import threat information from external sources, such as reputation services. These services gather information from many organizations on the apparent benign or malicious nature of IP addresses, domains, URLs, email addresses and other IT components. Sharing this information across organizations can help firewalls make sound decisions about what activity to permit, deny or permit but monitor more closely. Having this information frequently — preferably, continuously — put into the next-gen firewall increases the likelihood of stopping previously unseen attacks from succeeding.