If you would like to read the other parts in this article series please go to:
- Understanding TMG Logging (Part 2)
- Understanding TMG Logging (Part 3)
- Understanding TMG Logging (Part 4)
Introduction
Firewall logging is probably one of TMG’s best features, as we’ve mentioned in previous articles, including our series on Features to Consider When Replacing a TMG Firewall. TMG firewall logging provides an enormous amount of information about what traffic is moving to and through the firewall and the logs deliver detailed information about the users and computers and what each is accessing through the firewall. This helps you to identify possible attackers and network probing. In this article, I want to talk about why TMG firewall logging is important and what some of the improvements are in logging for the TMG 2010 firewall. In subsequent articles, we’ll go a little deeper and discuss some of the configuration options.
There’s not much doubt that logging is one of the most important activities performed by your firewall when it comes to network and security management. You know that in today’s security world, documentation is everything. As an TMG firewall admin, you need to keep a record of the changes that have been made to the firewall as well as a detailed record of the user activity that takes place through the TMG firewall, and you need to monitor for any attacks that might be occurring on the network aimed either at or through the firewall.
Key uses of logs
There are several key activities that TMG firewall logging will help you with:
-
Troubleshooting issues with Internet connectivity and applications. You can use the TMG firewall logs to help you troubleshoot a myriad of problems. The easiest method for determining whether traffic is being blocked by the firewall and which port or IP address is being blocked by the firewall is to check for these events in the TMG firewall’s logs. Some applications require custom protocols that sometimes aren’t documented well enough for you to figure out which protocols you need to configure the firewall to allow (either inbound or outbound or both). When you run into these kind of situations, you can use the TMG firewall’s log files to determine which protocols are being blocked, and this will enable you to create rules to allow these protocols.
-
Identifying User Activity through the TMG firewall. Many organizations need to keep detailed information about the activities of users when accessing the Internet. While this issue may decrease in importance in the coming years as cloud computing and ubiquitous access and mobile devices begin to have a major impact on the enterprise, there are currently still many reasons that you need to make sure that you have insight into what your users are doing with corporate devices on the corporate network. When you track user activity through the TMG firewall, you will have detailed logs of which internal and external web sites the users have visited and services they have utilized, how long the users remained online for the duration of the day and much more information. Remember that this information can also be subpoenaed and used in legal proceedings. In order to support the use of log information in legal scenarios, you need to make sure that no user is be able to pass through the firewall unless there is a backup logging mechanism active that can be used for logging and later merged with the original logs in the event that the primary logging mechanism fails. This is important because intruders will often try to disable logging on the firewall so that they can hide their activities, and if they do this successfully, they will complete their nefarious acts and then re-enable firewall logging with the hope that you might not even notice that anything ever went amiss.
-
Creating a Health Model. You can use the firewall logs as part of your network health model definition and assessment. The TMG firewall will enable you to identify and track things that apply to your health model, such as network utilization and traffic patterns. The TMG firewall can also help you determine whether any specific endpoint is generating excessive network traffic that might represent a DoS attack. Some attacks might be very short in duration and therefore difficult to identity, but if you regularly analyze the logs, you might be able to determine particular patterns. Then you can create firewall rules to block such attacks or block compromised hosts.
-
Facilitating Change Control and Tracking. In a secure environment, it is critical that all changes that are made on the TMG firewall be tracked, and there should also be a mechanism in place to revert back to a previous configuration in case of a change that causes problems. Although most companies follow strict guidelines around change management as applied to their firewalls, human error will always haunt us. For this reason and more, change tracking logs need to be available so that you can evaluate the exact nature of any changes to the TMG firewall configuration. This way, if a configuration error is made, it can be quickly mitigated.
Improvements in TMG logging
The TMG firewall adds to the log fields you had with the ISA firewall. The TMG firewall includes a number of new fields to support the TMG firewall itself, the TMG Client (also known as the firewall client), Forefront Client Security (now defunct), and some UAG functionality (since all UAG installations also include a TMG firewall installation underneath them). We will take a look at some of the more interesting log fields that you might want to use in your TMG firewall deployment.
TMG client fields
The TMG client (or firewall client) provides new functionality because it can provide much more information about the application, user, and operating system environment than the ISA Firewall client application. Unfortunately, you can’t use this information to craft custom TMG firewall policies. Consequently, this information is informative only – but information is power! Check these out:
-
Firewall Client Application File Version – This field contains the file version of the Winsock application as seen on the Details tab of the file properties page for that file.
-
Firewall Client Application Internal Name – This field contains the description of the Winsock application as seen on the Details tab of the file properties page for that file.
-
Firewall Client Application Original File Name – This field contains the original file version of the Winsock application as seen on the Details tab of the file properties page for that file.
-
Firewall Client Application Product Name – This field contains the product name of the Winsock application as seen on the Details tab of the file properties page for that file.
-
Firewall Client Application Product Version – This field contains the product version of the Winsock application as seen on the Details tab of the file properties page for that file.
-
Firewall Client Application SHA1 Hash – This field contains the hash value of the Winsock application executable calculated using the SHA1 has algorithm. This could be very useful in the future for providing a mechanism to detect malware that is attempting to connect to resources through the TMG firewall.
-
Firewall Client FQDN – This field includes the FQDN of the computer running the firewall client application to connect to the TMG firewall.
-
Fwc Application Path – This field contains the full path of the executable making Winsock calls.
Content inspection fields
Now that the TMG firewall can perform malware protection, the TMG firewall has new logging fields that help you keep a track of content that was inspected and returned to users.
-
Content Delivery Method – This field indicates whether fast or slow trickling was used to deliver the content to the user.
-
Malware Inspection Action – This field provides you with information about any actions taken for the traffic that triggered this log entry. This field should always be reviewed when you’re troubleshooting issues with file or site access.
-
Malware Inspection Duration – Regardless of the web anti-malware logging entries, this field will contain the amount of time in milliseconds it took to scan the content.
-
Malware Inspection Result – This field indicates whether anti-malware scanning was successful in scanning the content.
-
Threat Name – When anti-malware activity is logged, this field will contain the name of the threat.
-
Threat Level – When anti-malware activity is logged, this field will contain the severity or level of threat.
NIS fields
The Network Inspection System (NIS) supports intrusion prevention and intrusion detection. New log file fields that correspond to actions taken by NIS are now available with the TMG firewall. These will help you keep track of traffic as passed and inspected by NIS. Some of the more interesting fields include:
-
NIS Scan Result – This field shows the result of the NIS action taken for the traffic that initiated this log entry. Make sure you check this field whenever you are troubleshooting site or file access issues.
-
NIS Signature – If the NIS Scan Result is logged as Blocked or Detected, this field will show which NIS signature triggered this action.
-
NIS Application Protocol – When an NIS activity is logged, this field will contain the application protocol understood by NIS.
Summary
In this article, we began the discussion by talking about why logging is an important activity for any secure firewall environment. The TMG firewall presents you with a number of new options for logging various activities to and through the TMG firewall. We finished up with a description of some of the more interesting fields that you’ll want to monitor on a regular basis, especially when you are troubleshooting problems with file or site access through the TMG firewall. More often than not, you’ll find the answers you need to the TMG firewall log files, so consider these files your friends! See you next time! –Deb.
If you would like to read the other parts in this article series please go to:
