Firewall Wizards mailing list archives
RE: Log checking?
From: "FW Wizards Mailing List" <FW-Wizards () danschmitz com>
Date: Thu, 30 Sep 2004 20:35:14 -0500
While I've really enjoyed reading this communication regarding logging, I'm a little concerned. I think that all incoming traffic that is dropped should be logged. An accept for an incoming ftp request would look legitimate, when logging drops would show that an attempt on a blocked port took place prior to that "legitimate" ftp traffic. Additionally, for legal purposes it would be important to have documentation of all drops that a firewall had from a specific destination. I don't think there is ever too much "noise." You need to filter your logs to provide you with the information you need. I do agree that it is vital to monitor your employee's behavior. The only traffic that I wouldn't want to log is NetBIOS traffic, etc, being dropped by the internal interface on the firewall. A proper IDS configuration (one on the inside and one on the outside) will help you to audit your security policy. Without proper logging, how can your security policy be as effective as it could be? Personally, I'm all for logs that will provide the information desired upon need. I'd hate not to get enough information when it is needed from a firewall. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Luke Butcher Sent: Tuesday, September 28, 2004 9:10 PM To: Paul D. Robertson Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Log checking? In this scenario I'm trusting the firewall to block all known bad. The IDS is just a mechanism to sift the more 'interesting' stuff that's gets THROUGH the firewall (from the outside). Saves having to troll through all the traffic that gets past the firewall, which is nearly all legitimate. Alerts in this case would be preferable to blocking because the ratio of false negatives would be high, although most of the better IDS these days can be configured to generate tcp resets, or pass rules to a firewall to block that traffic for a defined period of time, if you really want to generate a block at this stage. Luke Butcher Alphawest Services Pty Ltd www.alphawest.com.au When everything's coming your way, you're in the wrong lane. -----Original Message----- From: Paul D. Robertson [mailto:paul () compuwar net] Wednesday, 29 September 2004 11:12 AM That's still pretty much logging "known bad" though, isn't it? Heck, if it's known bad, I want to stop it, not alert on it. Blocked getting ignored was pretty much my default too, since we had enough attacks a day that following up would have taken at least one person, maybe more. On Wed, 29 Sep 2004, Luke Butcher wrote:
It's for this reason I always setup IDS(ii?) inside the firewall. I'm only worried about what gets through, what's blocked is history.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)