Firewall Wizards mailing list archives
Re: Log checking?
From: Mark Tinberg <mtinberg () securepipe com>
Date: Thu, 30 Sep 2004 19:21:33 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 30 Sep 2004, Paul D. Robertson wrote:
On Thu, 30 Sep 2004, Mark Tinberg wrote:I've always felt that worrying about denied traffic was mostly for sport- if the firewall's policy blocked it, I wasn't all that worried about much more than overall trends- what got *through* the firewall seemed to be the more interesting set of things.I'd agree that this is true for traffic denied incoming from the big, bad Internet but not true for traffic denied from within your organization.So, my direct experience leads me to conclude that the biggest problems I've seen have all been from the allowed vector- and the organizations which were hit were all looking only at the denied traffic. In every case, we checked firewall logs, and I don't recall that ever bringing any value for places that logged only blocked traffic.
I spoke badly previously and do not disagree with you. I merely wanted to point out that deny logs are not entirely valueless, I did not want to imply that they are more valuable than accept logs or that one should view them in preference to accept logs.
I do find though that accept logs are much more tricky to get valuable information out of. An individual firewall might have tens or hundreds of thousands of log lines per day may of which are only packet filter logs. It's much easier to look at the deny logs, point and say "Look at all this bad stuff we are detecting/blocking", esp. when you can send the staff off to fix various broken machines that they otherwise wouldn't know about.
- -- Mark Tinberg <MTinberg () securepipe com>
Staff Engineer, SecurePipe Inc. Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFBXKMPFu7F5OUjbGcRAj++AKCAI4SJD0l5mzi15mvus/T6nQ1nKQCgvPpk OjwkAQWwv6kVsZ79Ms0Qx/w= =frm2 -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)