Firewall Wizards mailing list archives
IDS/IPS and LOGS
From: "Hawkins, Michael" <MHawkins () TULLIB COM>
Date: Fri, 3 Feb 2006 09:33:09 -0500
A few cents on IDS/IPS and Logs: IDS is great at identifying which previously discovered and quantified nasty behavior is happening on your network (where your network is either inside, outside or DMZ). But it doesn't give you much when you encounter something new and unknown (day zero). And there are more of these day zero attacks coming along all the time. IPS is also great at blocking many Internet attacks but it has limited use on the outside (your Internet attachment) because if anyone wises up to the fact that you have an IPS in place then a spoofed attack could easily turn your IPS into a big denial of service attack. IPS is best used inside your network where you know that bad traffic is always bad traffic and it isn't a spoofed DoS attack. On the subject of log analysis: My guess is that most of the Worlds firewalls and IDS/IPS only have half of their capabilities ever put into use. Heck, I just realized that one of our firewall pairs has been running for two years without the onboard encryption hardware turned on! But I digress. The point is this, every day you as the security practitioner should be checking your firewall and IDS/IPS logs and developing another rule or two to add that will reduce logging for traffic you know is not important. Then add that rule into your change control process, document it and implement it. Now you're one step closer to a log that actually has only the bad stuff in it. Now do this every day and within a very short time you will be looking at smaller logs that actually mean something. I have been looking at SEM for some time and they all lack one important piece - a simple, easy interface for developing and deploying filters. But, the biggest catch to all of this is that you actually must have a real security policy. But, the policy must live and breathe and grow in such a way as to not impact the business - much. It must evolve year on year, each time bringing more controls and closer scrutiny to all paths and byways in your network. Just make sure you have well integrated systems and processes so that you don't become the choke point for every single infrastructure request that happens within your company. Mike Hawkins New York Office: 212-208-3888 White Plains Office: 914-729-2790 Mobile: 917-887-3614 -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Adrian Grigorof Sent: Thursday, February 02, 2006 11:01 PM To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] parsing logs ultra-fast inline What do we want to know? http://www.eventid.net/firewalls/MostPopularReports.asp The compilation of the most popular reports that we would like to see after a firewall (or other similar device) log analysis - from a thread initiated by mjr in the Log Analysis mailing list. I noticed that there is a big emphasis on log parsing while there should be more discussions about the interpretation of the log parsing results. I've worked with logs from quite a few types of firewalls but parsing them has never been the problem. Yes, is a tedious, frustrating job but a rather easy one in comparison with the task of "programmatically" interpreting their meaning. Take Tina's VPN example - how many types of log entries you would expect from a VPN concentrator? From my experience, not more than 20 but let's assume there are 50. Give a sample from each entry to a Perl programmer and you will have the parsing script done in a day or two. So now you have the data, but what are doing with it? What is relevant to a VPN administrator? Even a seasoned security professional would appreciate some "conclusions" that a reporting tool would provide from the data in the logs. That being said, I agree that when you have to analyze 100 GB worth of logs, parsing them becomes a (big) problem and you need to optimize as much as possible. Actually, a "mere" 1 GB log is a show stopper for many analyzers on the market. Regards, Adrian Grigorof Altair Technologies www.altairtech.ca www.eventid.net ----- Original Message ----- From: "Tina Bird" <tbird () precision-guesswork com> To: "'Marcus J. Ranum'" <mjr () ranum com>; <firewall-wizards () honor icsalabs com> Sent: Thursday, February 02, 2006 13:21 Subject: RE: [fw-wiz] parsing logs ultra-fast inline marcus has been sufficiently saying what i do that i've not felt obliged to participate in this thread, until finally:
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () ranum com] Sent: Wednesday, February 01, 2006 1:04 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] parsing logs ultra-fast inline
[...] WHAT DO YOU WANT TO KNOW? so f'r instance, imagine i've landed in a new job at a company without a centralized logging infrastructure. the network is the usual conglomeration of file servers, mail, web stuff, firewalls, routers, remote access. and databases, of course. and some custom code. i'd go MAD if i tried to build the uber-logging facility all in one go. [...] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone. Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IDS/IPS and LOGS Hawkins, Michael (Feb 07)