tailieunhanh - Firewalls and Logging

The information provided through the use of logging is arguably the most important tool that a firewall administrator has available. | Firewalls and Logging The information provided through the use of logging is arguably the most important tool that a firewall administrator has available. Through the use of logging administrators gain tremendous insight as to the general health and status of their firewalls. I frequently equate the information gained from logging to being similar to how parents know what is going on with their children. Parents spend so much time with their kids that they just know when things are not right and that allows them to intervene where necessary. Logging provides that kind of insight into the firewall. In fact logging is really the only method most firewalls can use to inform an administrator what is going on. By collectingand most important by reviewingthe firewall logs an administrator will rapidly learn the normal and abnormal behavior for the firewall making it much easier to determine when and how to intervene where necessary to correct the situation. Generally speaking there are two methods of logging Syslog logging Proprietary logging The Syslog Protocol The syslog protocol is the de facto standard method of providing event notification messages across the network. Syslog is defined by RFC 3164 and uses UDP as the default transport mechanism by default and typically over UDP port 514 . By using UDP syslog gains the advantage of being a low-overhead connectionless delivery method thus requiring less resources on the systems doing the logging but that also results in syslog being an inherently unreliable delivery method. Although not common this can result in messages being lost. To address this deficiency many devices support using syslog over TCP to provide for reliable data delivery. This process is defined in RFC 3195. Syslog messages use what is known as a logging facility and severity level to determine where the message should be delivered and the importance of the message. The syslog protocol defines 24 logging facilities as shown in Table 12-1. Table 12-1.