S 4.81 Auditing and logging of activities in a network
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator, Auditor
Appropriate logging, auditing and review constitute essential factors with regard to network security.
Logging in a network management system or on certain active network components allows the storage of particular states (generally requiring definition) for the purpose of subsequent evaluation. Typical cases which can be logged include faulty packets which have been transmitted to a network component, unauthorised access to a network component, or the performance of the network at certain points in time. An evaluation of such protocols with suitable aids makes it possible, for example, to determine whether the bandwidth of the network fulfils present requirements, or to identify systematic intrusions into the network.
Auditing implies the use of a service which deals, in particular, with events critical to security. This can take place online or offline. During online auditing, events are scrutinised and evaluated in real time with the help of a tool (e.g. a network management system). During offline auditing, the data are logged or extracted from an existing log file. Items monitored via offline auditing frequently include data on utilisation times and incurred costs.
During review, data gathered as part of (offline) auditing are examined by one or more independent employees (two-person rule) in order to detect any irregularities during the operation of IT systems and to monitor the administrators' activities.
The logging and auditing functions offered by a network management system should be activated to a reasonable extent. In addition to performance measurements for monitoring the network load, it is particularly advisable to evaluate the events generated by the network management system, or use specific data collectors (e.g. RMON probes) which allow the monitoring and evaluation of events critical to security.
A large number of entries are usually generated during logging, and so a tool is required to analyse them efficiently. Auditing focuses on the monitoring of events critical to security. Auditing often also involves the collection of data on utilisation periods and incurred costs.
The following events are of particular interest during auditing:
- Data on the operating times of IT systems (which IT system was activated/deactivated when?)
- Access to active network components (who logged on when?)
- Security-critical access to network components and network management components, with or without success
- Distribution of network loads over an operating period of one day/one month, and the general performance of the network
The following events should also be logged:
- Hardware malfunctions that could lead to the failure of an IT system
- Impermissible changes to the IP address of an IT system (in a TCP/IP environment)
Auditing can be performed online or offline. During online auditing, categorised events are reported directly to the auditor, who can initiate measures immediately, if required. These events must be assigned to suitable categories, so that the responsible administrator or auditor can retain a clear perspective and respond to important events immediately without being overwhelmed by a flood of information. Is role separation necessary? During offline auditing, data from log files or special auditing files are prepared with the help of a tool and then examined by the auditor. In this case, measures for maintaining or restoring security can only be initiated after a time delay. Generally it is advisable to employ a mixture of online and offline auditing. During online auditing, security-critical events are filtered and reported to the auditor immediately. Events of a less critical nature are analysed offline.
Standard management protocols such as SNMP and RMON (which is based on SNMP) as well as specific protocols of the employed network management product can be used for logging and auditing.
On no account should user passwords be collected as part of auditing or logging! A high security risk would arise if unauthorised access were gained to this data. Incorrect password entries should not be logged either, as they usually differ from the corresponding, correct passwords only by one character or two interchanged characters.
A stipulation is also required as to who will analyse the logs and audit data. In this, there must be an appropriate separation between the person causing the event and the person auditing the event (e.g. administrator and auditor). Regulations concerning data privacy must also be adhered to. Earmarking in accordance with § 14 of the BDSG must be observed in particular for all gathered data.
Log files and audit files must be analysed at regular intervals. Such files can quickly grow to large proportions. To keep the size of log files and audit files within a useful range, the evaluation intervals should not be impractically short, but short enough to allow a clear examination.
Review questions:
- Are there rules regulating the logging of activities in the network, e.g. of defined events and states within a network management system or on particular active network components?
- Are there rules regulating the auditing and evaluation of events in the network?
- Are suitable tools for evaluation of audit data available?
- Are regular audits carried out in the network in order to detect any irregularities during the operation of IT systems and networks?
- Are the logging and auditing functions offered by a network management system activated to a sensible extent?
- Is an immediate response to events critical to security guaranteed?
- Is the collection of user passwords as part of network auditing or logging prevented?
- Are the data protection regulations adhered to during logging and auditing in the network?