Re: Pix 535 Logging

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: [fw-wiz] Pix 535 Logging

> We're currently getting a lot of CERT notifications for spammers operating
within our network - mainly 
> just students with 0wned machines, but we're looking into ways to automate
the procedure slightly.
> Anyway, what I'm looking to do, and what I need help with.... I want to
know if it's possible to log all 
> outbound port 25 connection attempts, EXCEPT those that come from our
authorised MX's and mail servers. 
> AND I would like to be able to do this in addition to the normal logging
that takes place.
> So, is it possible?
>
> Any thoughts and guidance you can provide are very much appreciated.

James,

It's definitely possible.  

Ideally, you would want to log all firewall traffic and then use a log
parser/analyzer to isolate and report on this traffic.  But if I had to
guess, I'd say that the daily firewall log for a residential university like
Sunderland would be in the tens of gigabytes if not the hundreds, so you're
probably not doing this on a whim.

So my recommendation would be to use access-list with log level directives.
Something like:

access-list permit tcp any any 25 log level 3

These access-lists should be placed before the 'permit ip any any' rule or
any other very general permit rule that might match and *after* the rules
that allow traffic to/from your authorized mail servers.  The logging level
you set the access-list to should be the same or less than the general
logging trap level you have set in your config.

The advantage to this approach is it makes it easy to enable/disable logging
of this specific traffic but it also makes it easy to move from logging this
traffic to blocking this traffic if you decide to go that direction.

PaulM





_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards