user access logs on mbox

User access logging is important for auditing and forensic investigation purposes, and is typically required in compliance to cyber security laws.

mbox HSG and CMG support various types of user/device logs, eg. firewall logs, URL/proxy logs, DNS logs and DHCP logs. For HSG, additional user profile and session data (radius logs) can be captured. (see this link for details).

Depending on organizations' specific needs, different types of logs are required. In general, below basic list of key info is required:


- timestamps- source IP- destination (IP for firewall logs, or URL path for proxy logs, or domain names for DNS logs)- protocol (firewall logs only)- source/destination ports (firewall logs only)


Below samples show different type of logs supported by mbox gateways.

=================================

Firewall access logs. This is generated by firewall, by inspecting up to transport layer (layer 4) of each packet.

Below is a raw sample firewall log output

---------------------------------------Aug 30 13:45:31 CMG-ISP kernel: [5496992.470425] mboxfw-permit:IN=br0 OUT=eth0 PHYSIN=eth1 MAC=00:90:0b:34:b4:7f:00:90:0b:3e:05:0c:08:00 SRC=172.16.3.2 DST=49.128.58.66 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=23565 DF PROTO=TCP SPT=58371 DPT=10051 WINDOW=29200 RES=0x00 SYN URGP=0 Aug 30 13:45:31 CMG-ISP kernel: [5496992.706739] mboxfw-permit:IN=br0 OUT=eth0 PHYSIN=eth2 MAC=00:90:0b:34:b4:7f:00:90:0b:3e:05:06:08:00 SRC=10.1.1.2 DST=49.128.58.66 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=2490 DF PROTO=TCP SPT=49902 DPT=10051 WINDOW=29200 RES=0x00 SYN URGP=0 Aug 30 13:45:34 CMG-ISP kernel: [5496995.009301] mboxfw-permit:IN=br0 OUT=eth0 PHYSIN=eth1 MAC=00:90:0b:34:b4:7f:00:90:0b:3e:05:0c:08:00 SRC=172.16.3.2 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=61 ID=17879 PROTO=UDP SPT=40809 DPT=53 LEN=57---------------------------------------

URL access logs. This is generated by web proxy, by tracking each user browsing session, with the full URL patch for each request.

Note this is applicable only for HTTP based traffic. mbox proxy doesn't intercept HTTPS traffic. As an alternative, you can consider DNS logging for tracking HTTPS requests, but unlike proxy logs, DNS logs don't track the full URL path

Below is a raw sample URL log output

---------------------------------------04/May/2015:11:28:19 SGT 180 192.168.0.224 TCP_MISS/200 411 GET http://liveupdate.symantecliveupdate.com/minitri.flg - DIRECT/125.23.216.203 text/plain04/May/2015:11:28:19 SGT 192.168.0.224 TCP_MISS/200 4083 GET http://liveupdate.symantecliveupdate.com/streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip - DIRECT/125.23.216.203 application/zip04/May/2015:11:28:19 SGT 192.168.0.227 TCP_MISS/200 20670 GET http://www.youtube.com/watch? - DIRECT/209.85.231.136 text/html04/May/2015:11:28:19 SGT 192.168.0.227 TCP_MISS/204 294 GET http://v15.lscache3.c.youtube.com/generate_204? - DIRECT/122.160.120.150 text/html---------------------------------------

DNS access logs. This is enabled by default for HSG and can be configured for CMG as well.

DNS log tracks all requests, for both http/https based URL requests and all other applications (eg. even mobile apps requests), but not up to the full URL path. It's a very effective method and commonly used by many other products for user behavior analytics and access control (eg. OpenDNS)

Below is a raw sample DNS log output

---------------------------------------Aug 30 13:54:02 mbox: [9906:0] info: 10.210.27.86 apple.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.27.86 p57-imap.mail.me.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.26.249 conn1.oppomobile.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.23.0 szextshort.weixin.qq.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.23.0 www.baidu.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.31.65 setup.icloud.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.23.0 www.youku.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.31.65 gspe35-ssl.ls.apple.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.22.220 43-courier.push.apple.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.21.254 encrypted-tbn0.gstatic.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.181.56.199 BCMLS2.glpals.com. A INAug 30 13:54:02 mbox: [9906:0] info: 10.210.31.65 p50-ckdatabase.icloud.com. A IN---------------------------------------

DHCP logs. This is captures user device DHCP request and mbox offer/reply to device, which is important to track mapping of device NAME, MAC and IP.

---------------------------------------Apr 8 13:07:42 HSG-DEMO dhcpd: DHCPREQUEST for 192.168.50.105 from 18:5e:0f:70:e2:02 (RandyRan) via vlan10Apr 8 13:07:42 HSG-DEMO dhcpd: DHCPACK on 192.168.50.105 to 18:5e:0f:70:e2:02 (RandyRan) via vlan10Apr 8 13:08:28 HSG-DEMO dhcpd: DHCPDISCOVER from 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10Apr 8 13:08:29 HSG-DEMO dhcpd: DHCPOFFER on 192.168.50.192 to 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10Apr 8 13:08:30 HSG-DEMO dhcpd: DHCPREQUEST for 192.168.50.192 (192.168.50.1) from 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10Apr 8 13:08:30 HSG-DEMO dhcpd: DHCPACK on 192.168.50.192 to 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10Apr 8 13:08:31 HSG-DEMO dhcpd: DHCPREQUEST for 192.168.50.154 from 50:c7:bf:90:2e:e0 (HS100) via vlan10Apr 8 13:08:31 HSG-DEMO dhcpd: DHCPACK on 192.168.50.154 to 50:c7:bf:90:2e:e0 (HS100) via vlan10Apr 8 13:11:06 HSG-DEMO dhcpd: DHCPDISCOVER from 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10Apr 8 13:11:07 HSG-DEMO dhcpd: DHCPOFFER on 192.168.50.192 to 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10Apr 8 13:11:08 HSG-DEMO dhcpd: DHCPREQUEST for 192.168.50.192 (192.168.50.1) from 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10Apr 8 13:11:08 HSG-DEMO dhcpd: DHCPACK on 192.168.50.192 to 6c:4d:73:95:67:ae (seewees-iPhone) via vlan10---------------------------------------