Silently logging internet traffic

Dieselboy · July 20, 2016, 08:49:29 PM

I would like to at least audit web traffic. It's been on my list of things to do for quite some time and I Can see a few ways of doing it like a web proxy but then this would mean (ideally) that users will not have web access directly and this would impact us in other ways which is not good.

One reason for doing this is that we had someone connect to a db in our hosted area and accidentally drop the db. It was not reported and so when it was realised sometime the next day, the devs went and restored the backup. But as I'm not logging anything, I cannot tell who it was.

I would like to ask the forum if they're doing this and roughly what tools you're using. I have access to RHEL so I could install some kind of proxy but would need to be silent so that I do not have to make changes to all of our users machines.

My firewalls are ASA-X at one site, and IOS ZBFW at another site. All connections should be logged not just :80 and :443.

Any pointers very welcome.

deanwebb · July 20, 2016, 09:05:42 PM

Syslog generation for every action taken vs. the database?
Putting a password on the database access?
DB access via an IAM or PAM system that not only logs each command, but also does a video recording of each session? (CyberArk-type product)

Dieselboy · July 20, 2016, 10:47:14 PM

The db was an example. Ideally I need to log internet requests to monitor internet activity as a whole.

icecream-guy · July 21, 2016, 08:15:04 AM

proxy, more ideally you don't want users to touch the internet directly. the proxy and other "tools" would block any malware downloads for example.
if you don't want to add a proxy to everyone's browser, then a transparent proxy may do.

wintermute000 · July 21, 2016, 04:39:20 PM

Put a Palo or sourcefire in line l2 mode. Better still, replace that asa. Both those ngfws will look inside the http and crack ssl if configured to do so. If you want db logging you probably need to investigate specific ips features.
You could also try transparent proxy with squid passthrough

Dieselboy · July 21, 2016, 09:11:02 PM

Replace the ASA? Are you sure? I have sourcefire on the ASAs - so I might be able to do some kind of transparent proxy but ideally I don't want to disconnect the network from accessing the internet. Silently logging would be best for the environment (I don't want to inhibit peoples ability to work, we do a lot of research for various things as well to give some idea).

At the remote site we only have the riverbed, a switch and the IOS ZBFW, so this might be a bit more difficult to track.

With a proxy I think it would cause problems which I obviously don't want.

wintermute000 · July 22, 2016, 12:33:42 AM

Surely you can pass http through the sourcefire, viola logs

Otanx · July 22, 2016, 10:04:13 AM

if all you want is connection logging then the ASA will do that if you just send it to syslog. You get source/dest IP and port, and even bytes transferred. However, that is very noisy. You never realize how much junk is going on in the background till you start logging on a firewall.

If you want more detail on some traffic then as Wintermute said you can pass http through the Sourcefire and get some level of logging/monitoring. However, I know there are limits to the Sourcefire on ASA in regards to SSL decrypt/intercept so you will probably be blind to most of the traffic anyway. I don't know if Sourcefire will do any kind of reporting on SNI or certificate name information, but maybe you can get some basic info there. In your example of a user dropping a database table that isn't something that network logging is going to help with. At that point the database server needs to be logging sessions, etc. Even if you just want to know who is connected when it happened that is more authentication logs from the server than network logs.

-Otanx

Dieselboy · July 24, 2016, 04:03:46 AM

Cheers all! Good points here. I'll go and do some digging

wintermute000 · July 24, 2016, 07:08:59 AM

Why buy sourcefire if you're not going to L7 inspect THE most common protocol out there?

You're also going to want SSL decryption for your internal users but that introduces an additional level of complexity (lovely certs) unless you want your users to get the 'invalid cert' warning every single time they hit https, and if you do this to non-domain / non SOE machines (without some kind of guest on-boarding that can push certs) then they WILL get the invalid cert warning, also, privacy headaches (i.e. do not MITM online banking etc.)

SSL decryption for inbound for your servers OTOH is much easier as you're only dealing with one server you control

deanwebb · July 24, 2016, 07:25:26 AM

Install them certs and do that SSL decryption in both directions!

Get ready to say "It's not the firewall!" with greater frequency!

Show those users the awesome power of a fully-operational ~~battle station~~ layer 7 firewall!

Dieselboy · July 24, 2016, 08:43:25 AM

I haven't set up SSL inspection, I got the basic system up and will go back to it very soon.

I did have a concern about system resource use with ssl decrypton. But if I can proxy the SSL, from the sourcefire I could also use that for the remote office internet traffic and optimise it through the Steelhead so it wasn't slow. Would need a trial run though.