Odd scans and stuff bouncing off firewalls

["Nexus" <nexus () patrol i-way co uk>]

Just a quick straw poll to see if anyone has any hard data that supports the
logging and analysis of traffic that bounces off of filtering devices as
part of a business security plan ?   Other than generating attack metrics to
wave under the noses of senior managment at budget time, is there any
definite _business_ requirement to have IDS sensors outside the firewall or
firewall "drop" logs et al regularly examined in the context of "external"
attack sources ?

 "We defended against X bazillion hack attacks last year so we need a bigger
budget for more stuff.."
BableFish (H2G2 version) : "Tons of port scans and worms from non
accountable netblocks bounced off of the firewall"

I don't bother to chase anything from anywhere unless it makes it through
the filters because I could care less and it would IMHO purely be a time
sink and even then only if it's from a netblock that has a whois abuse@
entry.   As I said, this is purely my own view, on my own network knowing
the sheer amount of background radiation on the internet, so I would
appreciate some other points of view.

Cheers.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com