Firewall Wizards mailing list archives
Re: Filter routers? (was Re:logs)
From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Fri, 01 Oct 2004 14:39:40 +0200
Kevin wrote:
I try to have ACLs +- matching the firewall rules, this way, the firewall only logs very suspicious traffic (and accepted traffic).How common is it to deploy filter routers to pre-process traffic before it gets to the firewalls? How elaborate do you get with these ACLs?
What do you mean by DMZ ? If you're talking about the network between the fw and internet:Simple "ingress" filtering at the DMZ is a best practice, and it's not uncommon to additionally do "egress filtering, usually in the same DMZ router.
-there are only internet access routers on this network.-wherever possible, the routers filters private addresses (both ingress and egress) - this is the first layer of anti-spoofing and address-translation debugging tool.
I personally like to log everything, for troubleshooting reason, mainly. I reduce the firewall log noise by filtering at the router side. The routers are logging to syslog, keeping the noise out of my firewall(s) log.At the DMZ, I find little value in logging denied traffic.
I log everything because i want to be almost sure 'it will work' even during an attack involving many events logged. (I've seen some nokia 440 firewalls rebooting during a syn flood, due to logging and syn-defender)It makes sense to me to simply deny the "noise", traffic which would otherwise increase the load on firewalls, (generating and writing deny log events) to no real end.
Note that there is a trackback/traceback rfc defining a way to know where the spoofed packets really comes from... unfortunatly:Anything matching these sources must be spoofed, cannot readily be traced back to the source.
-it needs many spoofed packet coming from the same real source -this is not implemented in most (or even any) router! -last time I looked at it, it was still under development. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Filter routers? (was Re:logs) Kevin (Oct 01)
- Re: Filter routers? (was Re:logs) Paul D. Robertson (Oct 01)
- Re: Filter routers? (was Re:logs) stephane nasdrovisky (Oct 01)