Firewall Wizards mailing list archives

RE: Log checking?

From: "Luke Butcher" <Luke.Butcher () alphawest com au>
Date: Fri, 1 Oct 2004 11:01:17 +1000

From: Marcus J. Ranum [mailto:mjr () ranum com]  Friday, 1 October 2004

10:23 AM

Luke Butcher wrote:

In this scenario I'm trusting the firewall to block all known bad.

[...then...]

Saves having to troll through all the traffic that gets past the 
firewall, which is nearly all legitimate.

Which is it? Do you trust your firewall to block ALL known bad and -

the result is "nearly all" legitimate?? Are you

saying your trust in your firewall is misplaced? ;)



My apologies,

I was using the vernacular of Mr. Robertson with respect to firewalls
blocking known bad. My inclusion of the word ALL is erroneous, nothing
is absolute. Well there is this one vodka, but that's another story. I
have trust in the firewall to block things it considers bad in it's
perhaps limited view of the traffic(1).
It's the stuff it lets through that is more interesting was my point.

Take for example port 80 traffic a firewall (usually) considers this to
be 'good' traffic.
However more aware devices or people looking at this traffic may
consider otherwise. As suggested MOST is legitimate but the firewall
considers it ALL legitimate(1).

This is where logging permits is useful as per the original discussion.
My use of an IDS (in conjunction with other methods) is purely technique
for efficiency reasons. In my current role I am yet to find a single
customer with the conviction to security to commit the $$$ required to
do an exhaustive search regularly in an effort to find a needle in a
haystack. What they really want is a best effort to appease management
and shareholders, that they are committed to security however half assed
it may be.
The ones with the nouse to do it themselves don't need us so by
definition aren't customers.

(1) I am aware of firewalls capable of Layer 5,6,7 dissection and so
forth. However most Firewalls I see deployed currently are concerned
with layers 3 and 4.

Luke Butcher
www.alphawest.com.au


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
  - RE: Log checking? Paul D. Robertson (Oct 01)
    - RE: Log checking? Marcus J. Ranum (Oct 01)
    - RE: Log checking? Paul D. Robertson (Oct 01)
    - Re: Log checking? Devdas Bhagat (Oct 02)
  - Re: Log checking? Kevin (Oct 01)
  - Message not available
    - RE: Log checking? hermit921 (Oct 01)
- Re: Log checking? Stephen P. Berry (Oct 02)
- RE: Log checking? Mark Teicher (Oct 02)
- Re: Log checking? Bennett Todd (Oct 06)