Firewall Wizards mailing list archives
RE: Log checking?
From: Larry Pitcher <pitcherl () bakerboyer com>
Date: Thu, 30 Sep 2004 09:34:22 -0700
Maybe this is too obvious to mention, but what I watch for in my firewall logs are denied connections trying to go from the inside to the Internet on closed ports. It gives me a look at misconfigured or infected PCs. Larry Pitcher Internet Product Manager Baker Boyer Bank 509.526.1429 pitcherl () bakerboyer com -----Original Message----- From: Paul D. Robertson [mailto:paul () compuwar net] Sent: Thursday, September 30, 2004 8:25 AM To: Luke Butcher Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Log checking? On Wed, 29 Sep 2004, Luke Butcher wrote:
In this scenario I'm trusting the firewall to block all known bad. The IDS is just a mechanism to sift the more 'interesting' stuff that's gets THROUGH the firewall (from the outside).
But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we don't know is good." Strategically, I'm less worried about find things that will be IDS signatures next month than I am about finding things that will never be IDS signatures. Yes, that's a lot of data to deal with, but it's the higher-cost threats in my view, such as the bad insider, strategic compromise, etc.
Saves having to troll through all the traffic that gets past the firewall, which is nearly all legitimate. Alerts in this case would be
Ah, but what I'm suggesting is that for emergent threats, that trolling is actually useful.
When everything's coming your way, you're in the wrong lane.
Nah, it just means you're in a target rich environment ;) Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking?, (continued)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Mark Tinberg (Sep 30)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 30)