RE: Log checking?

["Luke Butcher" <Luke.Butcher () alphawest com au>]

In this scenario I'm trusting the firewall to block all known bad.
The IDS is just a mechanism to sift the more 'interesting' stuff that's
gets THROUGH the firewall (from the outside).

Saves having to troll through all the traffic that gets past the
firewall, which is nearly all legitimate. Alerts in this case would be
preferable to blocking because the ratio of false negatives would be
high, although most of the better IDS these days can be configured to
generate tcp resets, or pass rules to a firewall to block that traffic
for a defined period of time, if you really want to generate a block at
this stage.


Luke Butcher
Alphawest Services Pty Ltd
www.alphawest.com.au

When everything's coming your way, you're in the wrong lane.


-----Original Message-----
From: Paul D. Robertson [mailto:paul () compuwar net] Wednesday, 29
September 2004 11:12 AM

That's still pretty much logging "known bad" though, isn't it?  Heck, if
it's known bad, I want to stop it, not alert on it.  Blocked getting
ignored was pretty much my default too, since we had enough attacks a
day that following up would have taken at least one person, maybe more.



On Wed, 29 Sep 2004, Luke Butcher wrote:

> It's for this reason I always setup IDS(ii?) inside the firewall. I'm 
> only worried about what gets through, what's blocked is history.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards