Firewall Wizards mailing list archives
Re: Log checking?
From: Mark Tinberg <mtinberg () securepipe com>
Date: Thu, 30 Sep 2004 14:31:56 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 28 Sep 2004, Paul D. Robertson wrote:
I've always felt that worrying about denied traffic was mostly for sport- if the firewall's policy blocked it, I wasn't all that worried about much more than overall trends- what got *through* the firewall seemed to be the more interesting set of things.
I'd agree that this is true for traffic denied incoming from the big, bad Internet but not true for traffic denied from within your organization. You can learn all kinds of things from denied outbound logs, backdoored machines trying to connect to their IRC controllers, machines with various adware/spyware trying to phone home, machines with misconfigured software that isn't going through your internal proxies (AV updates for example), machines with misconfigured DNS or NTP settings, etc.
Many of these things you could also detect with a NIDS but you don't need one to get the abovementioned information so it would be useful at all of ones sites, not just those where you can afford a well-configured NIDS.
- -- Mark Tinberg <MTinberg () securepipe com>
Staff Engineer, SecurePipe Inc. Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFBXF8wFu7F5OUjbGcRApJZAKCg42pVE2Z3Abq2wvrX5uHrAsE5MgCffIdH HRmdYkO4UQXURvejZcRiQuM= =BYt+ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)