Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Log checking?

From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 30 Sep 2004 11:24:40 -0400 (EDT)
On Wed, 29 Sep 2004, Luke Butcher wrote:


In this scenario I'm trusting the firewall to block all known bad.
The IDS is just a mechanism to sift the more 'interesting' stuff that's
gets THROUGH the firewall (from the outside).


But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we
don't know is good."

Strategically, I'm less worried about find things that will be IDS
signatures next month than I am about finding things that will never be
IDS signatures.  Yes, that's a lot of data to deal with, but it's the
higher-cost threats in my view, such as the bad insider, strategic
compromise, etc.


Saves having to troll through all the traffic that gets past the
firewall, which is nearly all legitimate. Alerts in this case would be


Ah, but what I'm suggesting is that for emergent threats, that trolling is
actually useful.


When everything's coming your way, you're in the wrong lane.


Nah, it just means you're in a target rich environment ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: