Firewall Wizards mailing list archives
Re: Log checking?
From: Adam Shostack <adam () homeport org>
Date: Tue, 28 Sep 2004 18:54:05 -0400
Hey, I was never an intern! But I sure did ssh tunnel out. :) Adam On Tue, Sep 28, 2004 at 06:27:24PM -0400, Desai, Ashish wrote: | I would recommend you also look at your web proxy logs. | Especially for 'CONNECT' method (which is an SSL connection). | There are too many people who have figured out how to | ab(use) it. We are now also starting to see VPN software | that is going to start using that method and at that point | its pretty much game over. | | We have found very interesting things when CS interns start | working at our company and they start using this channel to | get to the outside. Besides its a lot of fun looking at | what people are querying at google ;-) | | Ashish | | > -----Original Message----- | > From: Paul D. Robertson [mailto:paul () compuwar net] | > Sent: Tuesday, September 28, 2004 4:05 PM | > To: firewall-wizards () honor icsalabs com | > Subject: [fw-wiz] Log checking? | > | > Back when I had real production firewalls, I'd log all the permitted | > traffic for a while, then do some analysis of the data to get a | > feel for things like tunnels, misbehaving users, etc. | > | > I've always felt that worrying about denied traffic was | > mostly for sport- | > if the firewall's policy blocked it, I wasn't all that | > worried about much | > more than overall trends- what got *through* the firewall | > seemed to be the | > more interesting set of things. | > | > I'm just wondering if the subset of folks who actually look at their | > firewalls mostly looks at denied traffic only, or if it's a common | > practice to look at the permitted stuff too? If so, what | > sorts of things | > are you using, and are you finding anything interesting? | > | > Paul | > -------------------------------------------------------------- | > --------------- | > Paul D. Robertson "My statements in this message are | > personal opinions | > paul () compuwar net which may have no basis whatsoever in fact." | > probertson () trusecure com Director of Risk Assessment | > TruSecure Corporation | > _______________________________________________ | > firewall-wizards mailing list | > firewall-wizards () honor icsalabs com | > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards | > | _______________________________________________ | firewall-wizards mailing list | firewall-wizards () honor icsalabs com | http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 30)