Firewall Wizards mailing list archives
RE: Log checking?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 30 Sep 2004 11:24:40 -0400 (EDT)
On Wed, 29 Sep 2004, Luke Butcher wrote:
In this scenario I'm trusting the firewall to block all known bad. The IDS is just a mechanism to sift the more 'interesting' stuff that's gets THROUGH the firewall (from the outside).
But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we don't know is good." Strategically, I'm less worried about find things that will be IDS signatures next month than I am about finding things that will never be IDS signatures. Yes, that's a lot of data to deal with, but it's the higher-cost threats in my view, such as the bad insider, strategic compromise, etc.
Saves having to troll through all the traffic that gets past the firewall, which is nearly all legitimate. Alerts in this case would be
Ah, but what I'm suggesting is that for emergent threats, that trolling is actually useful.
When everything's coming your way, you're in the wrong lane.
Nah, it just means you're in a target rich environment ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Log checking?, (continued)
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Desai, Ashish (Sep 28)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 30)