Firewall Wizards mailing list archives

Re: Log checking?

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 30 Sep 2004 23:23:10 +0530

On 28/09/04 16:05 -0400, Paul D. Robertson wrote:

Back when I had real production firewalls, I'd log all the permitted
traffic for a while, then do some analysis of the data to get a
feel for things like tunnels, misbehaving users, etc.

I've always felt that worrying about denied traffic was mostly for sport-
if the firewall's policy blocked it, I wasn't all that worried about much
more than overall trends- what got *through* the firewall seemed to be the
more interesting set of things.

I'm just wondering if the subset of folks who actually look at their
firewalls mostly looks at denied traffic only, or if it's a common
practice to look at the permitted stuff too?  If so, what sorts of things
are you using, and are you finding anything interesting?


Back when I was actually permitted to look at outbound traffic for non
diagnostic purposes, I found it useful to look more at the non denied
traffic than that which was denied. I wasn't really bothered with
outbound traffic at that time (given that I could see all the desktops
directly), but I was logging some inbound traffic.

For HTTP and FTP, I was analysing squid logs with custom Perl scripts.
For SMTP, the mail gateway logs. Lots of deny rules were generated from
this analysis (port 25 blocks on the edge routers allowing only the
official MTAs to go through generated quite a bit of logging too).

At that time, tunneling was not as popular and/or easy to the general
user population, so that was not a big worry.

Overall traffic analysis was via ntop. Since I was not logging NetBIOS
traffic (it just filled up the logs), ntop was useful in logging that
information as well. A spike in netbios traffic indicated interesting
events, for Chinese values of interesting.

A bit of SNMP helped as well in judging overall traffic volumes by
looking at the relevant switch ports (MRTG graphs).

At that point of time, I voiced the view that denied traffic was mostly
uninteresting and was roundly lambasted for it.

If I had to do it today, I would be worrying more about tunneling as
well, but proxies with connect support compiled out are quite useful in
stopping *that*.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
  - Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
  - Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
  - RE: Log checking? Paul D. Robertson (Sep 28)
    - RE: Log checking? Ben Nagy (Sep 30)
    - RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)

(Thread continues...)