Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Are There Risks in Sharing Firewall Logs? 26

Posted by Cliff from the looking-before-leaping dept.
FireballDWF asks: "What are the risks in sharing my personal Firewall logs with others? I ask as helping to put a stop to detect and stop attacks at their source by becoming an agent for MyNetWatchman sounds easy and appealing, but I am concerned about the possible risks." The MyNetWatchman service is designed to take a pro-active approach to network security. A network agent sits on a users firewall and forwards log entries to a central server that analyzes the data and warns the user if suspicious activity occurs. Sounds like a good plan, but what dangers (if any) will the users of this service be exposing themselves to by providing such access to their machines, even if they are just log files?
This discussion has been archived. No new comments can be posted.

Are There Risks in Sharing Firewall Logs? More

Are There Risks in Sharing Firewall Logs?

Comments Filter:
  • I can tell you that it is not recommended.
    Spending time on the firewalls list [gnac.net], they almost never keep their original IPs in the log snippets they post... From what I can gather it is because alot of them do internal routing, and don't want others to know their subnet ranges etc.

    Merly postulating,
    -Tammie

    • Hi...I'm actually the developer of myNetWatchman. First of all...to address the initial question on the saftey of submitting firewall logs: Participating in our sensor network involves running either a native Windows application or Perl script. Everyone should exercise due-diligence when considering any native app as your are potentially granting access to your system. That said, my users will vouch that my app is trustworthy and it only uploads what it says it uploads...firewall log data. Several have also independently validated this using packet sniffers. I've also tried to make it very clear exactly what information is collected and how privacy is maintained in our Privacy Policy. Really the only information that is sensitive is the agent's IP address. This is exactly why we mask the agent IP address (e.g. 100.100.X.X) on all publically viewable pages AND in the alert email we send to ISPs. To address a few other comments: 1) "not very cluefull ..." Agreed...this is NOT a refined site. My user interface and presentation are ugly. Intensive queries can timeout (I'm working on this) This is a grassroots effort run by ONE full-time person (ME) and a very small group of volunteers. Despite this we successfully process over 100,000 log events/day, identify 10,000 suspect IPs/day, and send 1,000-2,000 email alerts notifying people that their boxes have probably been hacked. Given my limited resources, I think this is pretty impressive. 2) What do I get in return? Someone mentioned that they don't really get anything for participating. Yes, my primary goal is actually help those that have been hacked. However, participants benefit in several key ways: a) Knowing that you're helping alert others of compromises b) Personal reports that show your event data aggregated with thousands of other firewalls around the world. This adds global perspective to your firewall logs...now you can tell how many other people have seen the same activity c) Automated escalation to responsible ISP or sysadmin...and full disclosure of progress and ISP responses. We almost completely elminate the need to do manual backtracing and incident escalation, saving many of our participants *hours* per month. I hope that I'm not sounding defensive...I welcome the criticism...I know I have a lot to improve on. I also wholeheartedly agree that you definitely need to exercise caution when considering to participate in my system or others like it (Dshield, ARIS, etc..) I invite anyone to talk to our participants directly on our newserver (news.mynetwatchman.com) or analyze our app for yourselves. Regards, Lawrence Baldwin President myNetWatchman.com +1.678.624.0924
  • For sure, it is better to have end-to-end strong encryption, but for some of us, that is impractical. I would be reluctant to share my logs with anyone, since it amounst to a 'customer list' of my organization.

    I think the best security involves both encryption, AND obscurity. Stands to reason really.

    • Did you happen to read the above, or did you just post hoping to score some quick karma?

      I read it as meaning they're forwarding the logs to another server on the "internal" network, not the dirty network (i.e. internet etc). If you can't trust your internal network, what exactly can you trust?
      • Did you happen to read the above, or did you just post hoping to score some quick karma?

        ... and forwards log entries to a central server ...

        As you can see from the MyNetWatchman [mynetwatchman.com] page, this information is explicitly shown as being sent across the internet.

        Regardless of that, MyNetWatchman makes this information public - with some attempt at obscuring sensitive info.
        See the FAQ [mynetwatchman.com].

  • Not the most clueful company on the planet... (Score:4, Insightful)

    by Eivind ( 15695 ) <eivindorama@gmail.com> on Tuesday November 13, 2001 @04:34PM (#2560096) Homepage
    • Visions [mynetwatchman.com] says, among other things: With TCP and UDP alone there are over 125,000 possible ports that attackers could target.. Uhm, yeah. Portunmbers are 16 bit. So there's 65536 possible ports, times 2 if you count tcp and udp. I'm not so sure why this is relevant to anything though.
    • Their link to closed incidents [mynetwatchman.com] Gives a: Microsoft OLE DB Provider for ODBC Drivers (0x80040E31) [Microsoft][ODBC SQL Server Driver Not very comforting.
    • Their domain name is really really dumb. :)
    • They claim 1200 active agents, and 87K reported incidents the last 24 hours. This is a really high level, and thus means the agent has to report back home every little detail that happens.
    On the flipside, they do have a privacy-policy clearly visible on their homepages, and they do support agents under many different OSes. So who knows, maybe they're actually clueful and just manage to come off as clueless.
    • Obviously you have to dumb it down if you want the masses to jump in. They won't score thousands of users if they say the truth : "True, there are 65536 ports, but at most you might have a dozen of then open. Of that dozen, there still isn't much an attacker could do. You might as well spend your time downloading more pr0n."

      I might be just overly sure of myself here, but I've never felt the need to run any sort of firewall on my boxen, whether they run Doze or Nix. I don't recall ever having network-related trouble either. bahhh
    • I don't understand what your issue with the over 125,000 possible ports is. This is a rounded off, and clean figure. Also note the word "over". Would it be better if we said ; "With TCP and UDP alone, there are exactly 131,072 ports an attacker could use." ? Not quite as clean, and as the other poster said, it needs to be toned down to get the regular home users. The domain name being really "Dumb" is a personal oppinion of yours. And I can assure you we have 1200 ACTIVE (uploaded an incident inside of the past 7 days), and we have NO problem going through 87 - 100 K INDIVIDUAL attack records for every 24 hour period. Trust me, I look at the database, it's all there. =) Glad you like our OS support, and privacy policy though.
      • I have no problem with 2^17 being rounded to 125K at all. The problem is that this number is utterly irrelevant to security. Do you really think the internet would be more secure if portnumbers where 12bit ? Or that our current security-problems would seem tiny if the portnumbers where 32-bit ?

        The problem I have with the statement is that it's stupid. It's true, but it's irrelevant to the issue at hand. Your actual vulnerability is proportional to the number of listening ports on your machine, but that number bears no direct relationship to the size of the portnumber-field.

      • An attack to an closed port is an attack. You might not have a problem with it. You do have a firewall. But the next victim might have a problem with it. Read the article about it. Suppose one starts scanning port 25 or 101 A lot. maybe a exchange SMTP gateway is vulnurable. It is nice to detect this. (It might just be a spammer....).

        On the other side they are missing all ICMP messages. (how many possibilties 2^16 again?).

        DOS attacks can use ICMP message as well. It would be nice to detect them as well. If you have a lot of ICMP messages outgoing this should trigger a good log filter.

        Or does your firewall aready filter ALL ICMP messages?
    • Thanks for the heads up on the "vision" page.

      I've had completely rewritten all of the reports that this page uses, however, I completely forgot to update this page to the new versions.

      The should all work now.

      http://www.mynetwatchman.com/vision.htm

  • Information is power (Score:5, Informative)

    by schon ( 31600 ) on Tuesday November 13, 2001 @04:48PM (#2560139)
    If the question is "Should I send my logs unfiltered to a separate entity?" then the short answer is NO.

    The long answer is NO. Information on your private network numbers should be on a need-to-know basis.

    By posting your IP addresses to a public database (or a central service you don't control), an attacker could use this information against you, by checking the results of their scans against what you log.

    Note that this is NOT obscurity. (Contrary to what a previous poster says.)

    There is nothing wrong with sending filtered log reports (remove the IP addresses, and TCP info, like sequence numbers, if your software logs them) to a central DB.
    • In the incidents your IP IS masked. i.e. 172.168.23.* Secondly, Seq #, etc are NOT sent to our database server. This, the IP address cannot be COMPLETELY removed, otherwise we wouldn't be able to track attack patterns emerging across networks etc. Thus the [proven] power to identify new worms, etc. would be seriously hampered.
  • in sending your logs as long as you filter out any personally identifiable information, e.g. your IP address.

    That way, they can still do analysis, hacker at IP x.y.z.w is attacking [someone] at port P, but they don't get any detailed info about your setup.
  • This has been an issue that has come up repeatedly with regards to myNetWatchman. I am do system development, and incident analysis at the site, as a volunteer.

    I am very interested to hear your comments, and conerns. I would like to hear any suggestions to ease your fears to submit data to our site.

    Using submitted data we have been able to identify new trends in attack data, and therefor find new worms etc. We actually discovered the W32.Leave.Worm.

    I can definatly understand your fears to submitting log data however. Perhaps with your suggestions, we could modify the system to make it more appealing.

    Drop my an e-mail at;
    psychospy@fatelabs.com

    with any suggestions or comments.

    Yours truly,
    Nathan Einwechter
    (PsychoSpy)
    • I think I would be much less weary of forwarding my logs to someone if, first of all they were only for the traffic trying to get into my network, i.e. external not local traffic, and secondly, if the program that sends them off would change my IP address to something meaningless. But it still is scary revealing any info, especially, logs which reside on the 'safe' side of your network, its just another thing to worry about...
  • I don't like the idea of handing off your logs to this automated system. I do like the idea of trading logs with different companies or IT people (non-competing and VERY trusted, with no other conflict of interest as well). And absolutely unfiltered so that certain risks can be found. This service you speak of, however, doesn't quite fit that criteria - you're not learning anything beyond what they tell you yourself via other's logs, and there is no mutual interest - a very dangerous thing.
    • Although I have a somewhat biased oppinion about this because of my involvement, I tend to disagree. This is exactly the attitude that keeps the internet open to subversive worms. We don't make any money off of this, we do this as a service to the INTERNET as a whole. Also, do you trust SANS? Incidents.Org? If so, than look at it this way. If you trust them, and they trust us, than what makes you believe we're some deviants trying to get your log files etc. for malicious use? Especially considering our close co-operation with law enforcement, and SANS in the past. Especially when we discovered the W32.Leave.Worm. If it had not of been for a service like ours, this worm never would have been discovered because of it's subversive nature, and a couple british coders would have gotten away with tens or even hundreds of thousands of dollers, plus a LARGE (25,000+) Zombie network. I think this justifies what we're doing in and of itself.

Slashdot Top Deals

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Close