Firewall Forensics
Examining the firewall should be a fundamental part of any network forensic analysis. Because all external traffic must come through the firewall, it is imperative that the firewall logs be examined carefully. They frequently contain valuable evidence.
Firewall Basics
A basic working understanding of firewalls is required to do proper firewall forensics. There are several ways to categorize firewalls, but there are two that are more basic than the rest: packet filtering and stateful packet inspection.
Packet Filter
This is the most basic type of firewall. It simply filters incoming packets and either allows them entrance or denies them passage based on a set of rules. This is also referred to as a screened firewall. It can filter packets based on packet size, protocol used, source IP address, and so on. Many routers offer this type of firewall option in addition to their normal routing functions.
Stateful Packet Inspection
The stateful packet inspection (SPI) firewall examines each and every packet, denying or permitting not only based on the current packet, but also considering previous packets in the conversation. This means that the firewall is aware of the context in which a specific packet was sent. This makes these firewalls far less susceptible to ping floods, SYN floods, and spoofing.
Application Filter
This type of firewall combines stateful packet inspection with scanning for specific application issues. For example a Web Application Firewall (WAF) will scan for typical web attacks such as SQL injection and cross-site scripting.
Collecting Data
All the traffic going through a firewall is part of a connection. A connection consists of two IP addresses that are communicating with each other and two port numbers that identify the protocol or service. The concatenation of an IP address and a port number is called a socket, and it is unique while it is active. The three ranges for port numbers are as follows:
Well-known ports—The well-known ports are those from 0 to 1023.
Registered ports—The registered ports are those from 1024 to 49151.
Dynamic ports—The dynamic, or private, ports are those from 49152 to 65535.
Attempts on the same set of ports from many different Internet sources are usually due to decoy scans. In a decoy scan strategy, an attacker spoofs scans that originate from a large number of decoy machines and adds his or her IP address somewhere in the mix.
Earlier in this chapter, you learned a list of common ports. You should carefully check the firewall logs for any sort of connections or attempted connections on those ports. You also learned about packet flags that might indicate a port scan. If your firewall logs such details, you need to scan the log for any packets that might indicate a scan.
Using protocol analysis may help you determine who the attacker is. For example, you can ping each of the systems and match up the Time to Live (TTL) fields in those responses with the connection attempts. The TTL is not actually a time, per se, but rather the number of routers between a source and destination. The TTLs should match, plus or minus one or two in case the route is slightly different. If the TTL of the captured traffic and the TTL of the test/trace traffic don’t match closely, the addresses are being spoofed by an attacker. One drawback is that to know the actual number of hops, you must know the starting TTL that is being used. The idea of the TTL is that an IP packet is discarded when its TTL, decreased at each intermediate router, reaches zero before the packet gets to its destination.
Analyze the firewall logs in depth to look for decoy addresses originating from the same subnets. You will likely see that the attacker has connected recently, whereas the decoyed addresses have not.