RE: Firewall Logging question?

["Rivest, Philippe" <Rivestp () metro ca>]

I would find it very interesting to know when an access was allowed to a critical ressource if i know that in a near 
future of that authorization the ressource was used and caused damage.

If i only get the deny logs, how will i answer the "when was the access authorised?". I would also use the same 
retention time frame as the deny logs as they are both as valid in the investigation of access. Also, having the accept 
being log would allow you to build up a database of access that you could pipe thru a IDS someday stating that it is 
normal that at 14:30 a user X access a asset Y since it has been doing so (accept/permit) for over 6month.

The thing with deny is that they are valid only if you can prove that no "accept" were done afterwards/before.

Merci

Philippe Rivest, Certified Ethical Hacker

Analyste en sécurité de l'information

Métro Richelieu

450-662-3300x3115

►Avant d'imprimer, demandez-vous si c'est nécessaire!

►Before printing, ask yourself if you really need to!


-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Albert R. Campa
Envoyé : lundi 19 mai 2008 17:27
À : security-basics
Objet : Firewall Logging question?

Hi,

I am wondering what your opinion is on Firewall logging for "Accept/Permit/Allow" rules?

Is it really necessary? Are just the "deny" logs critical?
Say disk space is not in abundance.

Should you not log "accept/permit/allow" firewall rules, or log everything and have your retention reduced?

What are advantages to logging "accept/permit/allow" rules in a firewall?

Thank in advance.

Albert

Attachment: smime.p7s
Description: