Firewall Wizards mailing list archives

Re: Log checking?

From: Kevin <KKadow () gmail com>
Date: Thu, 30 Sep 2004 22:27:42 -0500

On Thu, 30 Sep 2004 20:35:14 -0500, FW Wizards Mailing List
<fw-wizards () danschmitz com> wrote:

While I've really enjoyed reading this communication regarding logging,
I'm a little concerned.  I think that all incoming traffic that is
dropped should be logged.  An accept for an incoming ftp request would
look legitimate, when logging drops would show that an attempt on a
blocked port took place prior to that "legitimate" ftp traffic.
Additionally, for legal purposes it would be important to have
documentation of all drops that a firewall had from a specific
destination.  I don't think there is ever too much "noise."  You need to
filter your logs to provide you with the information you need.  I do
agree that it is vital to monitor your employee's behavior.  The only
traffic that I wouldn't want to log is NetBIOS traffic, etc, being
dropped by the internal interface on the firewall.  A proper IDS
configuration (one on the inside and one on the outside) will help you
to audit your security policy.  Without proper logging, how can your
security policy be as effective as it could be?  Personally, I'm all for
logs that will provide the information desired upon need.  I'd hate not
to get enough information when it is needed from a firewall.


This depends greatly on the scale of your infrastructure -- My
outbound firewall logs for permitted traffic exceed six gigabytes per
day.

As of last week, 75% of the lines logged by by inbound firewall events
were worm traffic on the standard microsoft file sharing ports.

As of this week, we have added simple deny ACLs on the inbound edge
routers to silently drop traffic towards these ports, so I can once
again run a full day's worth of logs through my Perl analysis scripts
without thrashing swap due to running out of RAM.


KevinK
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
  - RE: Log checking? Paul D. Robertson (Oct 01)
    - RE: Log checking? Marcus J. Ranum (Oct 01)
    - RE: Log checking? Paul D. Robertson (Oct 01)
    - Re: Log checking? Devdas Bhagat (Oct 02)
  - Re: Log checking? Kevin (Oct 01)
  - Message not available
    - RE: Log checking? hermit921 (Oct 01)
- Re: Log checking? Stephen P. Berry (Oct 02)
- RE: Log checking? Mark Teicher (Oct 02)
- Re: Log checking? Bennett Todd (Oct 06)