Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pix 535 Logging

From: "Behm, Jeffrey L." <BehmJL () bv com>
Date: Wed, 8 Nov 2006 11:12:07 -0600
MJR-like Rant: Best practices would include blocking *everything*
outbound that you don't explicitly want going out. In an educational
environment, you might not be able to block, but in a corporate
environment you should be able to. At a minimum, logging this traffic
can help you understand where you might need to block. Doing this helps
prevent your internal machines from being poor "net neighbors" and
blindly infecting others.
 
In response to the OP, you could allow your known email servers in a
rule that doesn't log, and then have a second rule that (allows or
denies based on your policy/environment), but log entries that match
this rule.


________________________________

        From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
David Swafford
        Sent: Wednesday, November 08, 2006 9:58 AM
        To: firewall-wizards () listserv icsalabs com
        Subject: Re: [fw-wiz] Pix 535 Logging
        
        
        Have you thought about just blocking all outbound port 25
connections except for your authorized MX and mail servers?  We did that
at my company about a year back and eliminated the problem of infected
machines flooding spam out from our network.
         
        Just a thought,
         
        David.
         
        ____________________________________________________
        
         
        David A. Swafford, Network Engineer
        Information Technology Team
        Archbishop Alter High School
         
        EC-Council Certified Ethical Hacker
         
        A Cisco Systems, Inc., Certified Network Associate (CCNA) 
        and a CompTIA Network+ and Security+ Certified Professional
        <mailto:dswafford () alterhighschool org> 


        >>> james.burns () sunderland ac uk 11/8/2006 5:50 am >>>
        Hi,
        
        I have a quick question regarding logging on a Pix 535.
        
        We're currently getting a lot of CERT notifications for spammers

        operating within our network - mainly just students with 0wned
machines, 
        but we're looking into ways to automate the procedure slightly.
        
        Anyway, what I'm looking to do, and what I need help with.... I
want to 
        know if it's possible to log all outbound port 25 connection
attempts, 
        EXCEPT those that come from our authorised MX's and mail
servers. AND I 
        would like to be able to do this in addition to the normal
logging that 
        takes place.
        
        So, is it possible?
        
        Any thoughts and guidance you can provide are very much
appreciated.
        
        Cheers,
        James
        
        -- 
        James Burns
        
        Network Advisor - Student & Learning Support
        University of Sunderland
        
        
        
        -- 
        University of Sunderland - life-changing: see our new TV advert
at
        http://www.lifechangingsunderland.com or
http://www.sunderland.ac.uk
        _______________________________________________
        firewall-wizards mailing list
        firewall-wizards () listserv icsalabs com
        https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
        





        ______________________________________________________
        
        Founded in Faith - Preserved with Pride - Sustained by Spirit
        ______________________________________________________
        
        
        Upcoming Events:
        ALTER OPEN HOUSE
        November 16
        7 - 9 p.m.
        
        


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: