Re: Log checking?

[Mark Tinberg <mtinberg () securepipe com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 28 Sep 2004, Paul D. Robertson wrote:

> I've always felt that worrying about denied traffic was mostly for sport-
> if the firewall's policy blocked it, I wasn't all that worried about much
> more than overall trends- what got *through* the firewall seemed to be the
> more interesting set of things.

I'd agree that this is true for traffic denied incoming from the big, bad 
Internet but not true for traffic denied from within your organization. 
You can learn all kinds of things from denied outbound logs, backdoored 
machines trying to connect to their IRC controllers, machines with various 
adware/spyware trying to phone home, machines with misconfigured software 
that isn't going through your internal proxies (AV updates for example), 
machines with misconfigured DNS or NTP settings, etc.

Many of these things you could also detect with a NIDS but you don't need 
one to get the abovementioned information so it would be useful at all of 
ones sites, not just those where you can afford a well-configured NIDS.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Staff Engineer, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFBXF8wFu7F5OUjbGcRApJZAKCg42pVE2Z3Abq2wvrX5uHrAsE5MgCffIdH
HRmdYkO4UQXURvejZcRiQuM=
=BYt+
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards