Albert was taken over by panic when he called us. Panic is an understatement, as I could hear his heart thudding over the phone. He had an urgent need to find all the conversations for a specific IP address through his Firewall. He required this conversation detail as a report for the previous week. Albert was a newly hired firewall guy responsible for his network integrity and compliance.
The company Albert works for is one of ManageEngine's premium customers who had deployed ManageEngine Firewall Analyzer. We guided him to create a report profile with the required filters. The report got no data, because there was no relevant log against the filter (IP address) he applied on this report. I explained this and could hear myself..
“Albert's in trouble, bubble bubble, His brain is just not in the pink; His mind is rubble, rub-a-dub double, because I need to make him think…”
On probing, we came to know that his CEO’s IP phone got compromised over the weekend. A critical setting on his IP phone got modified. He was trying to generate a report for this IP address. He claimed that all his network assets were fortified behind his Firewall, and any conversation between two IT nodes should happen through the Firewall. Interestingly, these changes happened repetitively for the last 2 weeks and it was impossible for anyone to enter his office to make the changes physically.
Firewall Analyzer can record and archive all the received logs. We immediately audited his firewall’s raw logs (Archive foot prints) and found no trace for the IP address of this asset. Albert was up against a daredevil who I guessed must be an insider who knew to continue in stealth mode. No wonder Albert felt terrorized.
We immediately configured a notification profile that would alert him if there was any transaction bearing this IP address as a source or destination! We then probed into his configuration and network topology and held a couple of meetings with his service providers. And lo and behold, we cracked the issue!
A bird's eye view of his network showed that it was segmented into two farms. One led to the Firewall and then to all his internal machines and the other bypassed the Firewall and connected directly to his VOIP equipment via unmanageable switches. This detoured link was managed by the service provider and was a clear-cut blind corner as far as this network was concerned. It had been like this for a very long time and also had the approval from his higher ups. We tried to get transaction logs that are meant for his enterprise from this service provider, and well our requests fell on deaf ears. We negotiated to connect to this bypassed link through his Firewall and configured a rule defining the objects and services to allow. Now, his Firewall should record syslog for any transaction destined to his VOIP gear.
The alert profile set up on Firewall Analyzer was a perfect trap. We got real time notifications over the week end that recorded the Host IP address assigned to his CEO’s. Albert was happy to call us for a case closure. So what we learnt from this case:
· Fortify your network. Include all IT assets in your rule base to handle traffic through your Firewall. Document your fortified network (Asset and Config Management), and have a wall out procedure for any troubleshooting.
· Have good toolset for forensic analysis. Log analysis is a routine yet mandatory part of your job as an IT admin . Automated solutions like Firewall Analyzer help you quickly audit any transactions.
· Pass on your knowledge about your network topology to your team. Do not consider cutting costs over control equipment that handles security. Audit your network continuously.
· Do threat management. Each threat is manageable and you are the cause of a threat. Understanding the severity of threat is ten percent, and the rest ninety percent depends on how you respond to it.
Albert is happy with our tool, and is recommending Firewall Analyzer to his community. I am equally happy to see a closure to this case. Did you know that Firewall Analyzer can tell you if your device configuration is compliant or not?
Do share your experiences on any similar events that you might have come across in your work space and the tips and tools that you used to overcome the hurdle. I'm all ears :)