RE: Log checking?

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 29 Sep 2004, Luke Butcher wrote:

> It's for this reason I always setup IDS(ii?) inside the firewall. I'm
> only worried about what gets through, what's blocked is history.

That's still pretty much logging "known bad" though, isn't it?  Heck, if
it's known bad, I want to stop it, not alert on it.  Blocked getting
ignored was pretty much my default too, since we had enough attacks a day
that following up would have taken at least one person, maybe more.

> It also has the nice side effect of monitoring what people inside your
> network are up to. Which for all practical purposes are the only ones
> you can actually do anything about.

Well, that's one of my reasons for doing permits- more fun to be had
LARTing the lusers.

> Sometimes if there is no IDS in place (or even if there is depending on
> the client), I'll log permits on the firewall but only on more generic
> rules e.g. allow inside to ftp to anywhere. Logging everything can
> generate too much data, and your signal to noise ratio drops meaning you
> might miss something.

I didn't constantly monitor everything, but I'd do it as a routine.  I
also felt that it would help me make a "routine process" case if we ever
got challenged for a dismissal.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards