This chapter provides additional information about the Gauntlet software to help you maintain it. The chapter contains the following sections:
“Daily Operation”, describes management of reports and logfiles.
“Firewall Backups”, discusses issues of backups of the Gauntlet host.
This section discusses additional aspects of Gauntlet firewall automated reports, system logs, alarms, and user authentication.
The Gauntlet system includes reporting tools that summarize usage, security-related activity, and types and quantity of traffic. These reports are accessible through the management interface or at the command line. You can request daily reports and weekly reports. The daily report provides traffic and usage statistics from the previous day's logs. The weekly report provides a summary of traffic during the week that ended on the previous day (see Appendix C). Thus, if the administrator runs it on Sunday, the report will summarize traffic from the previous Sunday through the Saturday that just ended.
To configure the Gauntlet firewall to automatically generate these reports and mail them to you, refer to “Logfiles and Reports Configuration Form”.
To run the reports at the command line, invoke the report generators as either /usr/gauntlet/bin/weekly-report or /usr/gauntlet/bin/daily-report. Running reports at the command line is not destructive; run them as often as you want. Running the reports does, however, require considerable processing resources and you may prefer to run them during off hours. The report processing scripts are actually a series of shell programs, each of which is responsible for summarizing the behavior of one component of the system. All reporting is implemented using common IRIX tools so that you may modify the reporting in any way you feel necessary.
The Gauntlet firewall uses syslogd to maintain its logs. The system is preconfigured to maintain its logs automatically in the system area /var/adm, where one week's worth of active logs is retained. A second set of logs is retained in compressed-format (using gzip(1)) files named after the date on which the log was generated. By default, system logs are retained for 14 days, after which they are automatically removed. Since logs are serviced using the standard logging daemon, administrators have the option of configuring the system to also transmit copies of logging records to other computers over the network. Shadowing the log files on a separate system reduces the chance of logging information being lost, and provides an alternate platform for processing audit records, if desired. If you choose to exclusively shadow the system logs, you must run the report generator on the host that is storing the log information, and set up cron(1M) to rotate the reports on that host as well.
The Gauntlet firewall software uses the system logs as its primary mechanism for alerting you of configuration problems, system errors, or dangerous conditions. When a problem is encountered with the firewall, the first place to check for diagnostic output is the current active system log /var/adm/SYSLOG.
Gauntlet systems incorporate an automated notification system designed to alert administrators of potential problems with the system or attacks against the system's security. Periodically, the system performs a scan of information that has been added to the system log since the last time it checked for noteworthy occurrences. Unlike many systems, which attempt to define a list of noteworthy occurrences to be on the alert for, the Gauntlet system defines a list of occurrences that are not noteworthy. Events that are not noteworthy are ignored; all others are brought to the systems administrator's attention. Thus, anything new and unforeseen is more likely to be brought to the attention of the system administrator.
System alerts are checked periodically,[3] and any output generated by the alert check is electronically mailed to the firewall administrator immediately (see Appendix C). Sites desiring pager or FAX notification of events can easily take advantage of electronic mail to pager or FAX gateway services, or they may opt to modify the alert processing system. Alerts are processed by a script /usr/gauntlet/bin/frequentcheck, which relies upon a file listing strings that indicate an unimportant event. If you wish to disable notification of a particular event, add a matching pattern to the file /usr/gauntlet/config/frequentcheck.ignore.
The user authentication database is stored as a set of files in a DBM (hash table) format for quick access. All access to the authentication database is serialized to ensure consistency of the entries in the database; more than one authentication server (authsrv) process may access it at a time. The authentication database itself resides in /usr/etc/fw-authdb. A backup ASCII copy of the database is preserved nightly via cron. You can manage the database from the Authorization form. Alternatively, you may prefer to use authsrv in command-line mode or the screen-oriented authentication database browser authedit. Additional tools for loading and dumping authentication database records are authload and authdump, which can be used for bulk loading or exporting records. For more information on the operation of authsrv, consult the online reference manual.
Firewall systems require periodic backups to archival media to minimize downtime in the event of operational error or hardware failure. The Gauntlet system supports all the standard IRIX tape formats and backup tools such as tar, dump/restore, cpio, and bru. You may prefer to not attach a tape drive to the Gauntlet system and instead perform periodic backups over a network.
System backups may be automated if desired, using conventional UNIX tools for automatic backups. You are cautioned against installing network backup software that runs on the firewall itself if such software permits remote access and command invocation upon the firewall. Many automated network backup programs have been known to contain security flaws. As long as the automated backup technique chosen is entirely invoked with the firewall initiating the connections, the security of the firewall should not be at risk. Generally, once the firewall has been configured, the only parts of the system that will change and require backup are the system logs in /var/adm and the electronic mail queuing directories in /var/mail and /var/spool/mqueue. You may wish to perform a set of archival complete system backups and subsequently resort to incremental backups of the files in /var.
Once you set up system backups, you may wish to investigate automated checking to see what files have changed on the firewall. This affords additional assurance that your firewall has not been broken into and tampered with.