Firewall Wizards mailing list archives
Re: screen and choke network config
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sat, 1 Jun 2002 15:17:40 -0400 (EDT)
On Thu, 30 May 2002, Dave Piscitello wrote:
Thanks for the many responses, but I think I didn't make myself clear to several folks. The point of the "exercise" was not to reinvent all the inbound blocking policies at each of the 4-6 firewalls behind this access router. I'm comfortable that the DENY ALL at all but one of these firewalls is thorough (and I've tested them repeatedly). I simply didn't want 6 log entries indicating that some ankle biting lamer had scanned my public IPs probing for port 111, 137, etc. where I could live with one log message from my packet filtering access router.
I think this might require a filter on the syslogging stream, to reduce duplicates. Though, it might be nice to have seperated syslog streams from all the FW devices, to determine how well they pickup and the differences in how they log the same 'attacks'. Otherwise the blocks would be placed in the choke router so that they are not really seen by the FW's in question, yes? Thus eliminating dupes... Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: screen and choke network config R. DuFresne (Jun 02)