Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump on my firewall

From: Frederick M Avolio <fred () avolio com>
Date: Fri, 26 Oct 2001 12:57:50 -0400
At 02:51 PM 10/25/01 -0400, hesselsp () ashaman dhs org wrote:

Anyone want to help me out here?

I have had a request to put tcpdump on our firewall by one of our tech
guys.

I have told him that I will not do so, and he wants a good reason why.


HE wants a good reason why? HE?
Your security policy should cover this (and probably doesn't). Everything you add on a firewall makes it more complex. Complexity and security are inversly proportional. But wait! He doesn't have a user account on the firewall does he? No one should except the firewall admin, and that should be tightly controlled. The good reason is you don't add things on the firewall unless there is no other way to do what needs to be done, and then only if it is a business requirement (not a desire).
Push right back and ask him for a requirement not a solution. What does he want to do? He probably wants to monitor packets on the outside network (or maybe on both). I can think of more than one way to accomplish this that doesn't require putting anything new on the firewall. 


Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: