Firewall Wizards mailing list archives
RE: Log checking?
From: "Luke Butcher" <Luke.Butcher () alphawest com au>
Date: Fri, 1 Oct 2004 11:01:17 +1000
From: Marcus J. Ranum [mailto:mjr () ranum com] Friday, 1 October 2004
10:23 AM
Luke Butcher wrote:In this scenario I'm trusting the firewall to block all known bad.
[...then...]
Saves having to troll through all the traffic that gets past the firewall, which is nearly all legitimate.
Which is it? Do you trust your firewall to block ALL known bad and -
the result is "nearly all" legitimate?? Are you
saying your trust in your firewall is misplaced? ;)
My apologies, I was using the vernacular of Mr. Robertson with respect to firewalls blocking known bad. My inclusion of the word ALL is erroneous, nothing is absolute. Well there is this one vodka, but that's another story. I have trust in the firewall to block things it considers bad in it's perhaps limited view of the traffic(1). It's the stuff it lets through that is more interesting was my point. Take for example port 80 traffic a firewall (usually) considers this to be 'good' traffic. However more aware devices or people looking at this traffic may consider otherwise. As suggested MOST is legitimate but the firewall considers it ALL legitimate(1). This is where logging permits is useful as per the original discussion. My use of an IDS (in conjunction with other methods) is purely technique for efficiency reasons. In my current role I am yet to find a single customer with the conviction to security to commit the $$$ required to do an exhaustive search regularly in an effort to find a needle in a haystack. What they really want is a best effort to appease management and shareholders, that they are committed to security however half assed it may be. The ones with the nouse to do it themselves don't need us so by definition aren't customers. (1) I am aware of firewalls capable of Layer 5,6,7 dissection and so forth. However most Firewalls I see deployed currently are concerned with layers 3 and 4. Luke Butcher www.alphawest.com.au _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)