How to Tell a Firewall Breach
By Laurie Brenner
An incorrectly configured firewall poses a security threat not only to the business it protects, but also to all the people who access or use the company's internal network. When a firewall breach occurs, it means someone wasn't paying attention to important logs or taking the time to analyze the company's security. Most firewall breaches arise because of configuration errors, not because of software failure. Identifying a firewall breach is paramount to ensuring system security.
Analyze firewall logs. Computer systems and software track all activity. Reviewing these logs on a regular basis allows you to verify if a breach has occurred. Pay attention to any suspicious activity, such as network scanning or information gathering. Standard internal users have no reason to be completing these kinds of activities on your system. When you spot this kind of activity in your system logs, change passwords and configuration settings immediately. Hackers use software to scan or probe files, which shows up on the logs as repeated timed attempts to access system or other files.
Look for external access from Internet Protocol addresses not familiar to you. Keep a list of all IP addresses used by employees or authorized persons to access internal systems from the outside. Track down any IP addresses from system logs that you don't recognize. Use an online IP look-up website, such as IP-Lookup.net, Whois.net or Hostip.info, to check where these IP addresses are located. If they lead to foreign countries or proxy servers, you've likely found where the breach originated.
Check Web server logs and any logs used with ports that may be vulnerable or open to the firewall. Look for user logons you don't recognize and odd activity coming from unrecognized external sites. Pay particular attention to the times of access. Hackers often attempt access at odd hours of the night, especially if the attacks come from outside the country.
Review system directories and check file updates. Review file dates for modification, especially files that are not typically changed or modified. If you determine that a breach has occurred, remove external access to your system. This will keep further attacks from occurring while you assess damage, clean and reconfigure the system.
Check the Wi-Fi router activity logs and trace any activity that looks suspicious. Wi-Fi routers are access points into your system, if you have not added passwords and secured them against outside access.
- Develop system rules and configuration to ensure that passwords are secure and changed regularly. Hire an outside firm to perform a safety check of your firewall and security systems. Follow their recommendations to secure your network.
- Decontaminate the system before making it accessible to the outside.
- Never provide access to network passwords and systems to people not authorized on these systems.
As a native Californian, artist, journalist and published author, Laurie Brenner began writing professionally in 1975. She has written for newspapers, magazines, online publications and sites. Brenner graduated from San Diego's Coleman College.