Re: screen and choke network config

["R. DuFresne" <dufresne () sysinfo com>]

On Thu, 30 May 2002, Dave Piscitello wrote:

> Thanks for the many responses, but I think I didn't make myself
> clear to several folks.
>
> The point of the "exercise" was not to reinvent all the inbound
> blocking policies at each of the 4-6 firewalls behind this access
> router. I'm comfortable that the DENY ALL at all but one of
> these firewalls is thorough (and I've tested them repeatedly).
>
> I simply didn't want 6 log entries indicating that some ankle biting
> lamer had scanned my public IPs probing for port 111, 137, etc.
> where I could live with one log message from my packet filtering
> access router.

I think this might require a filter on the syslogging stream, to reduce
duplicates.  Though, it might be nice to have seperated syslog streams
from all the FW devices, to determine how well they pickup and the
differences in how they log the same 'attacks'.  Otherwise the blocks
would be placed in the choke router so that they are not really seen by
the FW's in question, yes?  Thus eliminating dupes...


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards