Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Log checking?

From: ArkanoiD <ark () eltex net>
Date: Wed, 29 Sep 2004 18:47:43 +0400
nuqneH,

Sure we do. If ssh and ssl are permitted, it is mandatory to look for
statistics and destinations, otherwise users will use it to tunnel.
Actually, this applies to all protocols.

On Tue, Sep 28, 2004 at 04:05:24PM -0400, Paul D. Robertson wrote:

Back when I had real production firewalls, I'd log all the permitted
traffic for a while, then do some analysis of the data to get a
feel for things like tunnels, misbehaving users, etc.

I've always felt that worrying about denied traffic was mostly for sport-
if the firewall's policy blocked it, I wasn't all that worried about much
more than overall trends- what got *through* the firewall seemed to be the
more interesting set of things.

I'm just wondering if the subset of folks who actually look at their
firewalls mostly looks at denied traffic only, or if it's a common
practice to look at the permitted stuff too?  If so, what sorts of things
are you using, and are you finding anything interesting?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com 

== scanned by TEST ==


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: