The Firewall is up and running and you can forget about it! ---------- Right? Wrong!

Keeping the bad guys out of your network is what a firewall is all about. However, sometimes that's not enough. If someone were attempting to beat down your door, you wouldn't just stand there smug in the fact that the door is holding up, you would make an attempt to stop the person from beating on the door to begin with. Wouldn't you?

Keeping employees from leaking confidential information, either innocently or overtly is just as important. If an employee were discovered removing paper records from the business, wouldn't that be cause for suspicion? How often are workstations checked for the presence of unauthorized software whose primary purpose is to transmit files out of the building? Does your email system limit the size of attachments so that your customer database won't be sent to your competitor, your current employees next employer?

Monitoring a firewall for suspicious traffic can alert a business to someone "casing the joint" for a potential break in - or break out. Suspicious traffic can originate from inside the business and can represent a virus (Trojan horse) at work or an employee attempting to circumvent the rules that have been put in place. Hackers need to find a weakness in the electronic perimeter of the business and then concentrate on that weakness. One shouldn't forget that a hacker and an employee could sometimes be one and the same individual.

Snooping for a weakness can leave evidence in the firewall's logs. Examining the logs then becomes an on going task that requires a trained eye and specialized tools to sift through a mountain of information looking for a pattern of behavior inconsistent with routine email flow, WEB browsing, etc. Every business can have a different definition of what constitutes suspicious activity. Attempting to download files from a software vendor's site would be expected. Attempting it against your site may raise a flag.

Software readily available on the Internet can be used to tunnel through a firewall, either from the outside in or from the inside out. These software tools come in the form of viruses that try to gain access surreptitiously, or can be actual hacking tools loaded on your internal network for the expressed purpose of trying to sneak around the Firewalls rules.

Everyone knows what an "inside job" is. A hacker on the outside can trick an employee of a business to do his bidding by planting a virus on their system via an email message, or various other means. The hacker then has a software accomplice on the inside that takes instructions from the outside to retrieve files from the private network and ship them to him using the login privilege of the employees compromised machine.

Alternately, an employee can bring a hackers kit to the office and set up a purpose built tunnel through the firewall to allow him to move whatever he wants through the tunnel to the outside. Admittedly, this takes some skill to set up, but if the prize is worth the effort, the tools are available. All that's needed is the skill to use those tools for the nefarious purpose.

If, for example, all employees are allowed to WEB browse anywhere they want, then to the firewall the rule is to allow port 80 traffic to any outside location. Port 80 is what is known as a "well known port". It is the port that WEB servers run on, so telling the firewall to allow outbound port 80 traffic makes sense. If an employee used hackers tools to contact a waiting server that has been specially set up to have port 80 respond not to WEB requests, but instead to be ready to accept downloaded data, then from the Firewalls perspective, the request by the employees hacking tools to open a bogus WEB session looks legitimate. Again, this type of activity is relatively difficult to set up, so it usually requires an expert's guidance to put the pieces together. The attempt to set up this elaborate scheme is what will potentially leave evidence behind in the firewall logs.

Firewall log entries are created continuously. Logging levels can be adjusted to report as much or as little information as necessary. How much is enough is always the tough question. Although examining logs is not an absolute guarantee of finding attempted undesirable behavior, it is a prudent business practice to increase the odds that what's yours stays yours.

Firewall logs can be remotely monitored at some predetermined interval. As software developers, we've written our own tools to help analyze the logs of the Firewalls we install and can make the raw output of that analysis available to our clients. However, without the training needed to understand the cryptic nature of the logged information, the analysis provides little added intelligence. If we knew how to write a piece of software that would pin point a hacker, we would write it and retire rich. At present, it takes a trained individual to look at a given scenario and make an educated determination of what's being observed. That takes time, and consequently is a service we provide.