RE: can/should

["Gallicchio, Florindo (2282)" <FGallicchio () netera com>]

 Barry:

It all depends on what your security policy stipulates.  You should go only
so far as to meet your security objective.

If a port scan is something you consider to be either non-threatening or
something that should be monitored only, then you would perhaps log the
source address (provided it isn't spoofed), the date, the time, etc.  If
you're a managed security services (like what my company offers) or some
type of business that would require a higher level of vigilance, you would
take it further for evidence gathering purposes, at least.

Keep in mind that port scanning does not constitute an attack per se.  Our
clients come under *constant* port scanning, among other types of events.

Establish your security baseline, then establish a risk threshhold.
Anything above the threshhold should be met with a documented escalation
procedure of some sort that meets the requirements of your security
baseline.

Florindo
_________________________
Florindo Gallicchio
Director, Managed Security Services
esavio
www.esavio.com

-----Original Message-----
From: Barry Hudson
To: nmap-hackers () insecure org
Sent: 5/23/00 9:35 AM
Subject: can/should

As a new firewall admin I have a question for the white hats.  I log
port scans and do a whois to locate the ISP that owns the ip address.
My questions is what else
can/should be done.  I have no other reason to believe they got through
or committed any crime.  What else are you guys doing?  I  hope this is
not to far off topic.



Barry S. Hudson 
Network Systems Manager 
Fredericksburg Savings Bank 
www.fsbnk.com 
Business Email - bhudson () fsbnk com 
All Other Email - barryhudson () compuserve com 

This email is intended for the addressee only.  The material may be
privileged and confidential information.  If you have received this
email in error, please notify me immediately by email and delete the
original.  Thank you.