July 9, 2008

NIST 800-41 Draft – Logging is a Step Child

Category: Compliance,Log Analysis — Raffael Marty @ 2:56 pm

I just finished reading the NIST 800-41 draft about “Guidelines on Firewalls and Firewall Policy“. The guideline does a great job of outlining the different types of firewalls that exist and how to correctly setup a firewall architecture.

The topic that falls fairly short is logging:

  • Section 5.2.3 (Configuring Logging and Alerts) mentions logging very briefly.
  • I am positively surprised that it mentions the logging of rule changes on the firewall, which is inherently hard in, for example, IPTables.
  • NIST asks for storing the logs locally on the firewall. I don’t agree with that at all. I don’t care whether the logs are kept locally. What I really care about is that the logs are centrally collected. Or in a very small environment, that there are logs at all.
  • I was really hoping that this was finally the document which would outline what to log exactly. What traffic should I be logging on the firewall? All the traffic? Just denied packets? Do you log on the incoming interface? And so on. None of these questions is addressed. Not even whether passed traffic should be logged at all. There should at least be some discussion around that.
  • Log analysis is not mentioned either. I was hoping that aside from just logging recommendations, the guideline would quickly mention what to do with the log files. How do you use them? Are they meant mainly for forensic purposes or are they used for proactive analysis? This would help justify the storage cost of the logs and push some implementations to actually implement logging.

I sent this blog post to the authors of the guidelines. Hopefully they are going to address some of this. And again, the general structure and contents of NIST 800-41 are great!


  1. That should be “Ugly” step-child.

    Comment by esteban — July 9, 2008 @ 3:08 pm

  2. I can’t speak to 800-41 but NIST may not address logging overmuch as another NIST document details it in great detail, Special Publication 800-92 Guide to Computer Security Log Management. For example, 800-53 contains the family of security controls ‘Audit and Accountability’ one of which explicitly calls for centralized log storage for high baseline systems (AU2(1)). However the implementation details of centralized logging are then referenced as being contained in 800-92.

    And thank you for providing feedback to the NIST authors. Every time a subject expert contributes reviews back to them the better the documents get for the rest of us.

    Comment by Dan Philpott — July 10, 2008 @ 4:43 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .