Outside and Inside Hacker Deterrents – Part Two

Joe Loucks

By
On January 9th In IP Solutions, IP Tech Tips
Tags:

 

Use of Router Logs

As part of the continuous monitoring of network activity security personnel need to examine the network “logs” which will detail the IP addresses and software ports of the source and destination data packets that are entering and leaving the LAN via the Internet.  In terms of network security it is just as important to monitor outgoing traffic as incoming; rogue employees can transfer whole files and folders out of the network to an off-site Internet storage site if they want to steal confidential company information.

Generally the network logs are recorded in the router that connects the local network to the Internet.  Even inexpensive routers such as the Linksys WRT54GL Broadband Wireless Router that is used by many residential and light commercial accounts have the capability of logging the comings and goings of devices that are using the network.

Let’s take a look at the outgoing log of the router in my house on a typical morning.

Above is the “Administration” screen that must be accessed by the network administrator to view the logs.  It is very important that the recording of the logs always be enabled, otherwise there will be no recording of network traffic.

With the logging enabled, we can now examine the outgoing traffic of the router.

Here we see that the device at LAN IP address 10.10.10.107 has accessed a number of web sites today.  For example let’s examine the site which has the public IP address of 74.125.227.124.  To determine what web site this is all we need to do is to input the numeric address into a web browser:

So this is one of the many public IP addresses used by Google. Another source of information about a numeric IP address the website www.dnsstuff.com.  This free website provides detailed information about IP addresses.

Along with the source and destination IP addresses, the log provides the “Service/Port Number” that was used for a specific communications session.  The “www” entries indicate that the user connected to software port 80 on the remote servers.

To check what devices have been entering the LAN from the Internet, just check the “Incoming” log:

To put some information into this log I accessed my LAN-connected NVR from over the Internet.  So here you see the source address of the device that entered the network along with the software ports, 8010 and 5150 that were used for communications.

Enterprise IT personnel should be checking the incoming and outgoing logs on a regular basis.  In the event that a security breach is suspected the first things to check are the logs to see which devices are communicating to what websites and vice versa.