Security Manager's Journal: Peering behind the firewall

Today I have been looking at my firewall logs through the lens of my security information and event management (SIEM) console. My staff usually does the day-to-day monitoring, and I have a third-party service that monitors the SIEM 24x7, but today I looked in on the situation with my own eyes, which I like to do every so often. I noticed some interesting things.

First of all, my network is constantly under attack. Every day, all day long, some kind of denial-of-service, port scanning, account/password guessing or direct exploit is being attempted. This seems to be the background noise of the Internet, most likely generated by automated systems under the control of malware, perhaps even large networks of botnets. Most of it doesn't seem to be directed at my network. It just seems to be crawling through the IP address spaces of the Internet in general.

I've noticed the same thing on my home network. I have a firewall at home that sits right behind my Internet router, and every once in a while I look at its logs, in much the same way I look at my company's firewall logs. At first I was surprised -- it was kind of a shock to see actual exploit attempts targeted at my home computers, game consoles, DVRs and other Internet-connected devices. Of course I realize that malicious traffic is ubiquitous on the Internet, but knowing it is not the same thing as seeing it face-to-face. It's like looking down the barrel of a gun.

On my company's network, the firewall blocks all these attacks. Literally. The only successful security breaches I've had on my network have been from the inside -- malware from email, malicious websites and tainted storage devices. Nothing has been able to hit me from outside through the firewall (knock on wood). I know this because I have sophisticated threat monitoring on my network and endpoint computers. So what I'm really looking at are firewall denies.

Still, despite the fact that none of the attacks are getting through, I wanted to do a deeper analysis. I started by separating the attacks into three categories.

The first category is the lowest level of concern, which is just information from the firewall logs about small amounts of bad traffic. Mostly this consists of a few bad connections or invalid network packets and connection timeouts. Nothing that can cause a lot of harm.

The second category is network traffic that is clearly malicious but doesn't pose an immediate threat. Obvious exploit attempts or vulnerability scans looking for security holes fall into this category, as long as my firewall is able to block it all.

The most severe category includes the attacks that are close to exhausting resources on my defensive perimeter. These are typically either DNS connection attempts trying to overwhelm my DNS server, or large amounts of regular network packets trying to flood my network, or excessive SSL connections to my Web servers. Fortunately, none of these have yet been successful, partially due to the fact that my Internet service provider filters out a lot of bad traffic before it gets to me.

The reason I split things into these three categories is so I can better manage the information I'm looking at. For now, I don't need to look at events in the first category, since they don't represent an immediate threat. The second category can also be ignored for now, although I want to keep an eye on things that may escalate into the third category. That's the one I want to look at more closely. I'll be keeping an eye on these "level three" events to make sure they don't threaten to escalate into an actual breach, either by exploiting services through the firewall or by exhausting resources on my firewall, network or systems.

It's also interesting to look at where these attacks are coming from. In the level three category, the No. 2 source of attacks is China. There's been a lot of talk lately about Chinese hackers, and I'm seeing some evidence of that. The No. 3 source is the Netherlands, which I can't explain other than the fact that a lot of computer talent, as well as exploits, come from there. The next source is Ukraine, which probably shouldn't surprise me given the current political climate. South Korea, the Russian Federation, India, Taiwan, France and Brazil are next in line, knocking on my door.

Who is No. 1? The U.S. I don't think we'll be bragging about that ranking anytime soon.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, go to

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMalware and Vulnerabilities

More about Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place