This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Dashboarding Firewall Activity

Anonymous
Not applicable

‎2016-08-16 12:44 AM

This is going to sounds like a silly question because I'm not really sure I know what I want or what I'm asking.

Has anyone developed dashboards that monitor the traffic between their firewalls?

What sort of data are you visualising (ie. Top 10 source IPs, Top ports, amount of traffic etc.).

I only started thinking about this today so I'm still working out the idea, but I guess I'd like to be able to have a dashboard for a firewall and have the potential to see if there are any traffic flows that stand out as strange. I think I'd have a dashboard per firewal.

4 REPLIES 4

AndrewOjha
Employee
Employee

‎2016-08-16 12:57 AM

Not a silly question at all, sometimes it's not trivial to kick off "slicing and dicing" these sets of data - but after sampling the data a few times, you'll get the hang of it.

In addition to 'Top 10' values, 'Bottom 10' (rare) values are interesting to keep an eye on as well:

  • Bottom 10 Src IPs
  • Bottom 10 Dest IPs
  • Bottom 10 Ports
  • Bottom 10 User-Agents
  • etc

 

Also - consider enriching your firewall data with relevant business context via the use of [Feeds] and [App Rules], allowing for visualizations of not just firewall data, but meaningful data relevant to what you are protecting / monitoring.

EricPartington
Employee
Employee

‎2016-08-16 01:32 PM

I would make sure that you have taken a swing at defining traffic directionality (or are using the firewalls interpretation of direction - or the RSA traffic_direction parser) then you could do some interesting things such as:

  • top protocols outbound (should sftp, icmp, ftp, ssh ex be leaving your org) - drill into the odd balls and see source and destination
  • top protocols outbound where threat.category exists (if you have good intel feeding your SA environment - outbound where there is a hit on some threat intel you trust)
  • DNS outbound from non-corporate DNS servers (should all your dns traffic be outbound from your corporate dns servers ? if you have a system configured that is bypassing - malicious or misconfiguration - hunt them down and investigate) - you could use a feed of known corporate dns servers and whitelist ip.src based on a match or lack of match
  • http outbound traffic with direct to IP communication - most http traffic is usually to a DNS name, how many times do you http direct to an IP address.  start there then investigate and whitelist as appropriate

SalSanshez
Beginner
Beginner
In response to EricPartington

‎2016-09-25 01:08 AM

These are great points!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.