Firewall Logs 2153



  • I was just wondering what kind of firewall logging is considered ‘best practice’ when logging firewall activities for SAS 70 or SOX compliance. What kinds of things do you log? How long do you keep logs? How often do you review them? I know that essentially this has to be tailored to the individual business, but we’re a small business and just looking for a starting point. To give a lil background, this particular firewall is located at a datacenter that hosts a web application that we market and sell that deals with online sensitive document management. (Ironically, our application helps other companies manage documentation required to keep track of their own compliance).



  • something between 90 days to 120 days would be ideal. Depends on how frequently you review these. If it is quarterly, the review document would anyway summarize the findings of the review report and hence can be retained as a quarterly document, instead of retaining the logs of various days.
    given the practise of a quarterly/ monthly review, u can retain the log review reports and end up having 4 or 12 documents for the whole year, instead of retaining the firewall logs 🙂
    this is only a suggestion, as i have not come across any documents which spells out the industrial best practice.
    I guess this is a sufficient and effective practice( given that the log review is a properly conducted activity)
    cheers



  • I agree with NC … Some additional ideas:
    – Someone in IT security or on Network Admin team should proactively review logs as part of their responsibilities each day (e.g., auditors usually have that requirement on many IT audit checklists and it’s truly a best security practice verses checking after violations have occurred)
    – If there’s a way of imaging or storing this information electronically, it provides a good resource in case any security breaches were to occur later.
    – You might use the Search option above and enter the keyword ‘Firewall’ and you’ll find about 17 threads related to this
    – General Internet search below:
    Please paste link below to browser and add www
    google.com/search?hl=en-and-q=SOX firewall logs



  • The best practice is to review logs on daily basis. Identify abnormalities, open tickets for corrective actions wherever applicable and then document this in a report every day. Send the weekly report to the Management for review and approval.
    Retain the logs for a little more than 365 days if possible and delete them afterwards. However as NC say this may not be necessary and you can reduce the duration if you have followed the above practice well.


Log in to reply