I have setup and configured network security for banks, police networks, state court networks, Internet Service Providers along with manufacturing plants and a variety of other business. Some of these organizations had their own security department most did not.
One question I always get is what can we do to improve security? Now most businesses already have a firewall, VPN and are looking at either Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) when they ask this question. My first question back is, “are you capturing your logs?”
Only about 10-15% of the companies are capturing their logs off all their devices. So even if they are capturing their logs, the next question quickly becomes, “Is anyone reviewing their logs?”
The answer is almost always, “We review the logs when something goes wrong.”
So what can you do to improve your network security is really easy. If you do not have any central logging of your devices. Turn up a central syslog server. If you are not logging from your network devices you have no real security. If someone tries to sell you anything for network security, but you still don’t have any central logging system. They are not improving your security. They are just trying to sell you something. People don’t sell most logging systems, because any Linux system can do it for free.
Logging but not checking the logs, isn’t really helping security either. If you have a syslog server, but never look at it, you have not help your security at all. For them to be useful, someone needs to go through the logs every time period (daily, weekly, monthly..) and look for any anomalies.
Going through the logs can be very time consuming, but is doesn’t have to be. In my next blog I will go through ways to improve and minimize the time it takes to review your syslog file.
Jason Howe, PEI
