Firewall Wizards mailing list archives
RE: Log checking?
From: hermit921 <hermit921 () yahoo com>
Date: Fri, 01 Oct 2004 09:02:59 -0700
We have found logging netbios traffic that hits the internal interface to be an excellent indicator of a machine gone bad. Good machines don't do that. If we had an IDS on the internal side to catch netbios traffic, I would be happy to discontinue logging such traffic on the firewall.
We log everything that hits the firewall. Especially the stuff we block from the outside. We often have to prove our firewall isn't blocking traffic from a partner/customer - and it usually boils down to demonstrating the packets never got here or they are using the wrong port.
hermit921 At 06:35 PM 9/30/2004, FW Wizards Mailing List wrote:
While I've really enjoyed reading this communication regarding logging, I'm a little concerned. I think that all incoming traffic that is dropped should be logged. An accept for an incoming ftp request would look legitimate, when logging drops would show that an attempt on a blocked port took place prior to that "legitimate" ftp traffic. Additionally, for legal purposes it would be important to have documentation of all drops that a firewall had from a specific destination. I don't think there is ever too much "noise." You need to filter your logs to provide you with the information you need. I do agree that it is vital to monitor your employee's behavior. The only traffic that I wouldn't want to log is NetBIOS traffic, etc, being dropped by the internal interface on the firewall. A proper IDS configuration (one on the inside and one on the outside) will help you to audit your security policy. Without proper logging, how can your security policy be as effective as it could be? Personally, I'm all for logs that will provide the information desired upon need. I'd hate not to get enough information when it is needed from a firewall.
[deleted]
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)