S 4.47 Logging of firewall activities

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

It must be specified which events are to be logged and who will evaluate the logs. Logging must comply with the data privacy regulations. Earmarking in accordance with § 14 of the BDSG must be particularly observed for protocol data.

The packet filters used must be able to log IP number, service, time and date for every incoming or outgoing packet. Restrictions to specific packets are also possible in this case (e.g. only packets with a special source address).

Logging of the user identification, IP number, service, time and date must be carried out (application gateway) for every connection made or aborted, although restrictions to specific connections (e.g. for a special user) are also possible.

It must be possible for logging not to be carried out for certain users so that no essential information is overlooked due to too large a number of log entries. This choice may be made, for example, on the basis of the rights profile of individual users.

The log information of all components should be sent to a central point via a trustworthy route so that the log information cannot be altered prior to final storage.

Special incidents which may be set, such as repeatedly incorrect password entries for a user, identification or unauthorised connection attempts, must be emphasised in the log and should lead to the immediate alerting of the firewall administrator.

If proper logging is no longer possible (e.g. because there is no more space on the data medium) the firewall must block all traffic and pass on an appropriate message to the administrator.