Firewall Wizards mailing list archives

RE: Log checking?

From: "Desai, Ashish" <Ashish.Desai () fmr com>
Date: Tue, 28 Sep 2004 18:27:24 -0400

I would recommend you also look at your web proxy logs.
Especially for 'CONNECT' method (which is an SSL connection).
There are too many people who have figured out how to 
ab(use) it. We are now also starting to see VPN software
that is going to start using that method and at that point
its pretty much game over.

We have found very interesting things when CS interns start
working at our company and they start using this channel to
get to the outside. Besides its a lot of fun looking at
what people are querying at google ;-)

Ashish

-----Original Message-----
From: Paul D. Robertson [mailto:paul () compuwar net] 
Sent: Tuesday, September 28, 2004 4:05 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Log checking?

Back when I had real production firewalls, I'd log all the permitted
traffic for a while, then do some analysis of the data to get a
feel for things like tunnels, misbehaving users, etc.

I've always felt that worrying about denied traffic was 
mostly for sport-
if the firewall's policy blocked it, I wasn't all that 
worried about much
more than overall trends- what got *through* the firewall 
seemed to be the
more interesting set of things.

I'm just wondering if the subset of folks who actually look at their
firewalls mostly looks at denied traffic only, or if it's a common
practice to look at the permitted stuff too?  If so, what 
sorts of things
are you using, and are you finding anything interesting?

Paul
--------------------------------------------------------------
---------------
Paul D. Robertson      "My statements in this message are 
personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment 
TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
  - Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
  - Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
  - RE: Log checking? Paul D. Robertson (Sep 28)
    - RE: Log checking? Ben Nagy (Sep 30)
    - RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
  - RE: Log checking? Paul D. Robertson (Sep 30)