Firewall Wizards mailing list archives
Log checking?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 28 Sep 2004 16:05:24 -0400 (EDT)
Back when I had real production firewalls, I'd log all the permitted traffic for a while, then do some analysis of the data to get a feel for things like tunnels, misbehaving users, etc. I've always felt that worrying about denied traffic was mostly for sport- if the firewall's policy blocked it, I wasn't all that worried about much more than overall trends- what got *through* the firewall seemed to be the more interesting set of things. I'm just wondering if the subset of folks who actually look at their firewalls mostly looks at denied traffic only, or if it's a common practice to look at the permitted stuff too? If so, what sorts of things are you using, and are you finding anything interesting? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
(Thread continues...)