For the past few days I've been trying to come up with ideas to enhance our firewall monitoring services but unfortunately nothing that interesting came out of it. I've been thinking about monitoring VPNs (traffic, connections, user activity and such) because that would make it look more interesting, maybe more complete, but I didn't get into much details about it (yet).
After reading about (and understanding) the difference between SIEM and SOAR, I decided to look for some tools that would assist us in monitoring our Firewall (currently we use SonicWall) by parsing our log files and separating what is deemed to be more imporant. Right now we can monitor many things at the hardware level (CPU, RAM, number of connections, bandwidth, etc) and recently we were able to use SNMP traps to track some security events such as port scan, Christmas Tree (which is quite relevant for this time of the year) and even use Graylog to parse some of our log files to inform of incidents that occured and couldn't be obtained by using, for example, SNMP but it still feels it is not good enough.
Aside from the VPN, which is still at the beginning, recently we've been working on trying to find a way to monitor the ACL of our Firewalls since our clients have access to their own Firewall (one in each company) and they can change the rules as they wish without informing us which is not good. Whenever a change occurs we are not notified of it so it require us to look at each rule (especially the ones about SSH, HTTPS and SNMP) to determine if everything is ok or not.
So aside from what I mentioned my question is: how could we enhance our Firewall monitoring services? Is there anything in specific that you monitor at your company that you deem to be important?
We haven't had any complaints about our services but I look at it and still have this feeling something is missing that would actually make our service much better.
No comments:
Post a Comment