RE: Log checking?

["Luke Butcher" <Luke.Butcher () alphawest com au>]

It's for this reason I always setup IDS(ii?) inside the firewall. I'm
only worried about what gets through, what's blocked is history.

It also has the nice side effect of monitoring what people inside your
network are up to. Which for all practical purposes are the only ones
you can actually do anything about.

Sometimes if there is no IDS in place (or even if there is depending on
the client), I'll log permits on the firewall but only on more generic
rules e.g. allow inside to ftp to anywhere. Logging everything can
generate too much data, and your signal to noise ratio drops meaning you
might miss something.

Luke Butcher
Network/Security Consultant
Alphawest Services Pty Ltd
www.alphawest.com.au

IBM: Incredibly Bullying Menace

-----Original Message-----
From: Paul D. Robertson [mailto:paul () compuwar net] 

I'm just wondering if the subset of folks who actually look at their
firewalls mostly looks at denied traffic only, or if it's a common
practice to look at the permitted stuff too?  If so, what sorts of
things are you using, and are you finding anything interesting?


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards