Firewall Wizards mailing list archives
RE: Log checking?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 28 Sep 2004 21:12:11 -0400 (EDT)
On Wed, 29 Sep 2004, Luke Butcher wrote:
It's for this reason I always setup IDS(ii?) inside the firewall. I'm only worried about what gets through, what's blocked is history.
That's still pretty much logging "known bad" though, isn't it? Heck, if it's known bad, I want to stop it, not alert on it. Blocked getting ignored was pretty much my default too, since we had enough attacks a day that following up would have taken at least one person, maybe more.
It also has the nice side effect of monitoring what people inside your network are up to. Which for all practical purposes are the only ones you can actually do anything about.
Well, that's one of my reasons for doing permits- more fun to be had LARTing the lusers.
Sometimes if there is no IDS in place (or even if there is depending on the client), I'll log permits on the firewall but only on more generic rules e.g. allow inside to ftp to anywhere. Logging everything can generate too much data, and your signal to noise ratio drops meaning you might miss something.
I didn't constantly monitor everything, but I'd do it as a routine. I also felt that it would help me make a "routine process" case if we ever got challenged for a dismissal. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 30)