1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Event Logging on Perimeter Routers

Event Logging on Perimeter Routers

Perimeter router logs can be invaluable in troubleshooting, capacity planning, and dealing with security incidents. For security purposes, the events to log are interface status changes, changes to the system configuration, access list matches, events detected by the firewall, and intrusion detection features. System logging events might be reported to a variety of destinations, including the following:

  • The system console port (logging console command). Because many console ports are unattended or are connected to terminals with no historical storage, this information might be unavailable to reconstruct a major event.

  • Servers running the syslog daemon can send logging information to a server with the logging server-ip-address command, and you can control the urgency threshold for logging to the server with the logging trap urgency command. Even if you have a syslog server, you should probably still enable local logging. If you don’t have access to a syslog server, go to Kiwi Enterprises at http://www.kiwisyslog.com /index.htm and download its free Kiwi Syslog Daemon.

  • Remote sessions on VTYs and local sessions on TTYs (logging monitor and terminal monitor commands).

  • Most routers can save system logging information to a local RAM buffer. This buffer is a fixed size and retains only the most recent information, and the contents are lost whenever the router is reloaded. Use the show memory command to make sure your router has enough free memory to support a logging buffer. Create the buffer using the logging buffered buffer-size configuration command.

If the router has a real-time clock or is running NTP, time-stamp log entries by adding the service timestamps log datetime msecs command to the configuration.

Access List Violation Logs

With traffic filtering and access control ACLs, you should consider logging packets that violate the filtering criteria. Older Cisco IOS software versions use the log keyword option, which captures the IP addresses and port numbers of packets matching an access list entry. Newer IOS versions use the log-input keyword, which adds receiving interface information and the MAC address of the host that sent it.

To manage file size and minimize performance impacts, configure logging for those critical access list entries. Don’t log entries that will match a large number of packets and generate little useful information, such as the permit any statement.




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Chapter 3: Cisco AAA Security Technology
Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies
Chapter 5: Securing Cisco Perimeter Routers
Perimeter Router Terms and Concepts
Eavesdropping
Limit Unneeded TCP/IP and Other Services
Denial of Service Attacks
Unauthorized Access
Lack of Legal IP Addresses
Rerouting Attacks
Event Logging on Perimeter Routers
Chapter Review
Chapter 6: IOS Firewall Feature Set - CBAC
Chapter 7: IOS Firewall - Intrusion Detection System
Chapter 8: IOS Firewall - Authentication Proxy
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars