Slashdot Mirror
Are There Risks in Sharing Firewall Logs?
FireballDWF asks: "What are the risks in sharing my personal Firewall logs with others? I ask as helping to put a stop to detect and stop attacks at their source by becoming an agent for MyNetWatchman sounds easy and appealing, but I am concerned about the possible risks." The MyNetWatchman service is designed to take a pro-active approach to network security. A network agent sits on a users firewall and forwards log entries to a central server that analyzes the data and warns the user if suspicious activity occurs. Sounds like a good plan, but what dangers (if any) will the users of this service be exposing themselves to by providing such access to their machines, even if they are just log files?
Spending time on the firewalls list, they almost never keep their original IPs in the log snippets they post... From what I can gather it is because alot of them do internal routing, and don't want others to know their subnet ranges etc.
Merly postulating,
-Tammie
I think the best security involves both encryption, AND obscurity. Stands to reason really.
- Visions says, among other things:
With TCP and UDP alone there are over 125,000 possible ports that attackers could target.. Uhm, yeah. Portunmbers are 16 bit. So there's 65536 possible ports, times 2 if you count tcp and udp. I'm not so sure why this is relevant to anything though.
- Their link to closed incidents Gives a: Microsoft OLE DB Provider for ODBC Drivers
(0x80040E31)
[Microsoft][ODBC SQL Server Driver Not very comforting.
- Their domain name is really really dumb.
:)
- They claim 1200 active agents, and 87K reported incidents the last 24 hours. This is a really high level, and thus means the agent has to report back home every little detail that happens.
On the flipside, they do have a privacy-policy clearly visible on their homepages, and they do support agents under many different OSes. So who knows, maybe they're actually clueful and just manage to come off as clueless.If the question is "Should I send my logs unfiltered to a separate entity?" then the short answer is NO.
The long answer is NO. Information on your private network numbers should be on a need-to-know basis.
By posting your IP addresses to a public database (or a central service you don't control), an attacker could use this information against you, by checking the results of their scans against what you log.
Note that this is NOT obscurity. (Contrary to what a previous poster says.)
There is nothing wrong with sending filtered log reports (remove the IP addresses, and TCP info, like sequence numbers, if your software logs them) to a central DB.
in sending your logs as long as you filter out any personally identifiable information, e.g. your IP address.
That way, they can still do analysis, hacker at IP x.y.z.w is attacking [someone] at port P, but they don't get any detailed info about your setup.
This has been an issue that has come up repeatedly with regards to myNetWatchman. I am do system development, and incident analysis at the site, as a volunteer.
I am very interested to hear your comments, and conerns. I would like to hear any suggestions to ease your fears to submit data to our site.
Using submitted data we have been able to identify new trends in attack data, and therefor find new worms etc. We actually discovered the W32.Leave.Worm.
I can definatly understand your fears to submitting log data however. Perhaps with your suggestions, we could modify the system to make it more appealing.
Drop my an e-mail at;
psychospy@fatelabs.com
with any suggestions or comments.
Yours truly,
Nathan Einwechter
(PsychoSpy)
I don't like the idea of handing off your logs to this automated system. I do like the idea of trading logs with different companies or IT people (non-competing and VERY trusted, with no other conflict of interest as well). And absolutely unfiltered so that certain risks can be found. This service you speak of, however, doesn't quite fit that criteria - you're not learning anything beyond what they tell you yourself via other's logs, and there is no mutual interest - a very dangerous thing.
SIG: HUP
I would recommed checking out http://www.dshield.org/index.html
They are affiliated with the SANS Institute (www.sans.org) which is a highly respected organization in the field. There is also lots of information on their sites about submitting your Logs. They also automatically filter out the 10.x.x.x and 192.168.x.x, etc. internal IP ranges before going into the database.
I could sing their praises a lot, but all I will mention is SANS and go check it out yourself.
An attack to an closed port is an attack. You might not have a problem with it. You do have a firewall. But the next victim might have a problem with it. Read the article about it. Suppose one starts scanning port 25 or 101 A lot. maybe a exchange SMTP gateway is vulnurable. It is nice to detect this. (It might just be a spammer....).
On the other side they are missing all ICMP messages. (how many possibilties 2^16 again?).
DOS attacks can use ICMP message as well. It would be nice to detect them as well. If you have a lot of ICMP messages outgoing this should trigger a good log filter.
Or does your firewall aready filter ALL ICMP messages?
Hi...I'm actually the developer of myNetWatchman. First of all...to address the initial question on the saftey of submitting firewall logs: Participating in our sensor network involves running either a native Windows application or Perl script. Everyone should exercise due-diligence when considering any native app as your are potentially granting access to your system. That said, my users will vouch that my app is trustworthy and it only uploads what it says it uploads...firewall log data. Several have also independently validated this using packet sniffers. I've also tried to make it very clear exactly what information is collected and how privacy is maintained in our Privacy Policy. Really the only information that is sensitive is the agent's IP address. This is exactly why we mask the agent IP address (e.g. 100.100.X.X) on all publically viewable pages AND in the alert email we send to ISPs. To address a few other comments: 1) "not very cluefull ..."
Agreed...this is NOT a refined site.
My user interface and presentation are ugly.
Intensive queries can timeout (I'm working on this)
This is a grassroots effort run by ONE full-time person (ME) and a very small group of volunteers.
Despite this we successfully process over 100,000 log events/day, identify 10,000 suspect IPs/day, and send 1,000-2,000 email alerts notifying people that their boxes have probably been hacked.
Given my limited resources, I think this is pretty impressive.
2) What do I get in return?
Someone mentioned that they don't really get anything for participating.
Yes, my primary goal is actually help those that have been hacked.
However, participants benefit in several key ways:
a) Knowing that you're helping alert others of compromises
b) Personal reports that show your event data aggregated with thousands of other firewalls around the world. This adds global perspective to your firewall logs...now you can tell how many other people have seen the same activity
c) Automated escalation to responsible ISP or sysadmin...and full disclosure of progress and ISP responses. We almost completely elminate the need to do manual backtracing and incident escalation, saving many of our participants *hours* per month.
I hope that I'm not sounding defensive...I welcome the criticism...I know I have a lot to improve on.
I also wholeheartedly agree that you definitely need to exercise caution when considering to participate in my system or others like it (Dshield, ARIS, etc..)
I invite anyone to talk to our participants directly on our newserver (news.mynetwatchman.com) or analyze our app for yourselves.
Regards,
Lawrence Baldwin
President
myNetWatchman.com
+1.678.624.0924