Specifications
7
Help
List all running processes with ps and search for processes that do not
typically occur in normal firewall operation.
Draw up a process table when setting up the firewall that can later
serve as a basis for comparison.
Check the running processes for links to unusual TCP or UDP ports.
See if the packet filter rules were changed.
Compare all configuration files with the original configuration. This is
very easy with the SuSE Firewall on CD, because the configuration is
already saved on the Adminhost. In doing so, however, it is essential
not to restart the firewall host, because any changes to the filter rules
could be lost.
Also back up all log files. The log files could be legally admissible evi-
dence. Document all steps you taken. If you save the log files locally to
the hard disk, make an exact copy of the hard disk for documentation
purposes.
Save your data to CD or to another medium (tape drive, ZIP drive).
Analyze the log files: Who tried to access what services or ports when
and from where (IP address, domain name, possibly even user name)?
Was an attempt made to uncover passwords (multiple failed login at-
tempts with the same user name)?
Make sure you are using a uniform and exact time source. It is im-
portant that the hardware clock of the firewall host and the log host
are as closely in sync as possible. Use a common time source for all
your servers whenever possible. Only in this way can you keep track
of events accurately.
Which parts of the security policy were violated? This is especially im-
portant in regard to internal intrusions.
You may want to deactivate the user account in your network that car-
ried out the attack, if it was an internal attack. The relevant procedure
pertaining to internal violations should also be regulated (security or
company policy).
145SuSE Linux – Firewall on CD2