Firewall Wizards mailing list archives

Re: Log checking?

From: Adam Shostack <adam () homeport org>
Date: Tue, 28 Sep 2004 18:54:05 -0400

Hey, I was never an intern!  But I sure did ssh tunnel out. :)

Adam

On Tue, Sep 28, 2004 at 06:27:24PM -0400, Desai, Ashish wrote:
| I would recommend you also look at your web proxy logs.
| Especially for 'CONNECT' method (which is an SSL connection).
| There are too many people who have figured out how to 
| ab(use) it. We are now also starting to see VPN software
| that is going to start using that method and at that point
| its pretty much game over.
| 
| We have found very interesting things when CS interns start
| working at our company and they start using this channel to
| get to the outside. Besides its a lot of fun looking at
| what people are querying at google ;-)
| 
| Ashish
| 
| > -----Original Message-----
| > From: Paul D. Robertson [mailto:paul () compuwar net] 
| > Sent: Tuesday, September 28, 2004 4:05 PM
| > To: firewall-wizards () honor icsalabs com
| > Subject: [fw-wiz] Log checking?
| > 
| > Back when I had real production firewalls, I'd log all the permitted
| > traffic for a while, then do some analysis of the data to get a
| > feel for things like tunnels, misbehaving users, etc.
| > 
| > I've always felt that worrying about denied traffic was 
| > mostly for sport-
| > if the firewall's policy blocked it, I wasn't all that 
| > worried about much
| > more than overall trends- what got *through* the firewall 
| > seemed to be the
| > more interesting set of things.
| > 
| > I'm just wondering if the subset of folks who actually look at their
| > firewalls mostly looks at denied traffic only, or if it's a common
| > practice to look at the permitted stuff too?  If so, what 
| > sorts of things
| > are you using, and are you finding anything interesting?
| > 
| > Paul
| > --------------------------------------------------------------
| > ---------------
| > Paul D. Robertson      "My statements in this message are 
| > personal opinions
| > paul () compuwar net       which may have no basis whatsoever in fact."
| > probertson () trusecure com Director of Risk Assessment 
| > TruSecure Corporation
| > _______________________________________________
| > firewall-wizards mailing list
| > firewall-wizards () honor icsalabs com
| > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
| > 
| _______________________________________________
| firewall-wizards mailing list
| firewall-wizards () honor icsalabs com
| http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
  - Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
  - Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
  - RE: Log checking? Paul D. Robertson (Sep 28)
    - RE: Log checking? Ben Nagy (Sep 30)
    - RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
  - RE: Log checking? Paul D. Robertson (Sep 30)