Đang chuẩn bị liên kết để tải về tài liệu:
Firewall Forensics

Không đóng trình duyệt đến khi xuất hiện nút TẢI XUỐNG Tải xuống

The underlying objective of a forensic analysis is trying to determine what happened and to establish facts that can be used in court. | Firewall Forensics Odds are you will need to conduct a forensics analysis using your firewall logs at some point. The underlying objective of a forensic analysis is trying to determine what happened and to establish facts that can be used in court. If you have never reviewed the firewall logs previously this can be a costly and almost insurmountable process because you do not necessarily have any idea what may or may not be a normal event for the firewall. Performing a forensic analysis is generally an extremely time-consuming and expensive process because in many cases it is much like trying to find a needle in the haystack. You may know what was done but you do not know necessarily when or how it was done which can make it tricky indeed to be successful. This is compounded by the fact that you need to gather evidence from the earliest moment possible to establish exactly what transpired. Because of the potentially sensitive nature of forensic analysis it is a good idea to use tools that can assist in performing the forensics analysis or to bring in experts who have special training in exactly what should and should not be done. This is where tools like NetIQ Security Manager and Cisco CS-MARS come in particularly handy because they include built-in correlation query and reporting functionality that is particularly suited to this kind of situation. For example Figure 12-4 illustrates a forensic analysis report from NetIQ Security Manager. Figure 12-4. NetIQ Security Manager Forensic Analysis Report View full size image On the surface the firewall denying traffic is not necessarily something to be concerned about. However by looking at the data for example the data in Figure 12-4 with a bit more of a critical eye the traffic is all originating from the same source 10.1.1.200 to the same destination 10.1.1.2 on a whole slew of different port numbers. This is a classic example of a reconnaissance attack the attacker is running a port scan in an attempt to determine .