Re: Firewall Logging question?

[Jason <securitux () gmail com>]

It depends, but I prefer logging accepts / allow, etc for evidence
retention and incident response, also very handy for troubleshooting.
Some very suspicious traffic can be accepted by firewalls... (ex: you
have an allow all http from inside out and some PC inside your network
starts probing random URL's for a vulnerable input field). Of course
this might be picked up by a content filter / IPS. Again, depends on
your situation.

What I usually do is set up rules which accept and do not log
information that would rarely be useful in a security investigation
such as cluster sync traffic. Log everything else.

There are regulatory requirements as well to collect and retain logs,
so be wary of any requirements your company falls under. We have a few
clients which fall under SOX, for them we need to collect everything.

Storage is so cheap now that if your firewall event collector can
handle it you might want to log it all. Logs compress really well too
(10:1 or better) so when you've filled up that 1/2 TB or whatever you
have for your collector you can tar and gzip it then back it up and
send it to offsite storage.

-J

On 5/19/08, Albert R. Campa <abcampa () gmail com> wrote:
> Hi,
>
> I am wondering what your opinion is on Firewall logging for
> "Accept/Permit/Allow" rules?
>
> Is it really necessary? Are just the "deny" logs critical?
> Say disk space is not in abundance.
>
> Should you not log "accept/permit/allow" firewall rules, or log
> everything and have your retention reduced?
>
> What are advantages to logging "accept/permit/allow" rules in a firewall?
>
> Thank in advance.
>
> Albert