Firewall Wizards mailing list archives
Re: Log checking?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 30 Sep 2004 11:36:27 -0400 (EDT)
On Tue, 28 Sep 2004, Paul D. Robertson wrote: [Summarizing off-list replies] Mainly, people feel that summarizing denied traffic shows the firewall has value. They also thought it was a useful measure of probe activity. We had one respondent who was reviewing rulesets to nuke old rules that weren't being hit anymore- a bright spot in my day, since I don't think most places review rules often enough. Someone had a firewall that didn't log allowed traffic normally, and they had to jump through hoops to get that data- to me that's a firewall buying point that'd kill a product for me. Everyone who had outbound rules mentioned tracking down worms and poorly configured machines. I tended to screen my firewalls from the inside too- probably because I was too grumpy about what sort of things were allowed in e-mail to want to spend time fixing the downstream effects ;) One respondent had a tool to run logs through and match with proposed rule changes- that sounds like a singular lifesaver to me- I want one- that works for several firewall types! Another person was worried that most admins don't have the skills to analyze the data- probably a way too valid point. Mostly it seems like folks roll their own perl code to analyze logs- but the self-selected sample is looking at the logs- another bright spot! After yesterday's CSI/FBI survey presentation, I needed something good- there's enough holes to drive a truck through, and I'm pretty convinced that it's a good counter-example for "anything is better than nothing." *sigh* Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Rodel Collado Urani (Sep 30)