S 4.81 Auditing and logging of activities in a network

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, auditor

Appropriate logging, auditing and review constitute essential factors related to network security.

Logging in a network management system or on certain active network components allows the storage of particular states (generally requiring definition) for the purpose of subsequent evaluation. Typical items which can be logged include faulty packets which have been transmitted to a network component, unauthorised access to a network component, or the performance of the network at certain points in time. An evaluation of such protocols with suitable aids makes it possible, for example, to determine whether the bandwidth of the network fulfils present requirements, or to identify systematic intrusions into the network.

Auditing implies the use of a service which deals, in particular, with events critical to security. This can take place online or offline. During online auditing, events are scrutinised and evaluated in real time with the help of a tool (e.g. a network management system). During offline auditing, the data are logged or extracted from an existing log file. Items monitored via offline auditing frequently include data on utilisation times and incurred costs.

During review, data gathered as part of offline auditing are examined by one or more independent employees (two-person rule) in order to detect any irregularities during the operation of IT systems and to monitor the administrators' activities.

The logging and auditing functions offered by a network management system should be activated to a sensible extent. In addition to performance measurements for monitoring the network load, it is particularly advisable to evaluate the events generated by the network management system, and use specific data collectors (e.g. RMON probes) which allow the monitoring and evaluation of events critical to security.

A large number of entries are usually generated during logging, so that a tool is required to analyse them efficiently. Auditing focuses on the monitoring of events critical to security. Auditing often also involves the collection of data on utilisation periods and incurred costs.

The following events are of particular interest during auditing:

• Data on the operating times of IT systems (which IT system was activated / deactivated when?)

• Access to active network components (who logged on when?)

• Security-critical access to network components and network management components, with or without success

• Distribution of network loads over an operating period of one day / one month, and the general performance of the network

The following events should also be logged:

• Hardware errors which might lead to the failure of an IT system

• Impermissible changes to the IP address of an IT system (in a TCP/IP environment)

Auditing can be performed online or offline. During online auditing, categorised events are reported directly to the auditor, who can initiate measures immediately, if required. These events must be assigned to suitable categories, so that the responsible administrator or auditor can retain a clear perspective and respond to important events immediately without being overwhelmed by a flood of information. During offline auditing, data from log files or special auditing files are prepared with the help of a tool and then examined by the auditor. In this case, measures for maintaining or restoring security can only be initiated after a time delay. Generally it is advisable to employ a mixture of online and offline auditing. During online auditing, security-critical events are filtered and reported to the auditor immediately. Events of a less critical nature are analysed offline.

Standard management protocols such as SNMP and RMON (which is based on SNMP) as well as specific protocols of the employed network management product can be used for logging and auditing.

On no account should user passwords be collected as part of auditing or logging! A high security risk would arise if unauthorised access were gained to this data. Incorrect password entries should not be logged either, as they usually differ from the corresponding, correct passwords only by one character or two interchanged characters.

A stipulation is also required as to who will analyse the logs and audit data. A suitable distinction must be made here between the originator of events and the evaluator of events (e.g. administrator and auditor). Regulations concerning data privacy must also be adhered to. Earmarking in accordance with § 14 of the BDSG must be observed in particular for all gathered data.

Log files and audit files must be analysed at regular intervals. Such files can quickly grow to large proportions. To keep the size of log files and audit files within a useful range, the evaluation intervals should not be impractically short, but short enough to allow a clear examination.

Additional controls:

• Are the recorded log files and audit files examined at regular intervals?

• Are the possible consequences of security-critical events analysed?

• Are user passwords logged?