Re: Dynamic IP log retention = 0?

[Marcus Reid <marcus () blazingdot com>]

On Wed, Mar 11, 2009 at 10:55:43AM -0400, Brett Charbeneau wrote:
> On Wed, 11 Mar 2009, William Allen Simpson wrote:
>
> WAS> While I applaud your taking security seriously, and your active monitoring
> WAS> of your resources, other folks might be handling huge numbers of Conficker,
> WAS> Mebroot, and Torpig infections these days.  So, they might be rather busy.
>
>       Excellent point. And with dwindling staff levels outgoing worm traffic 
> may be super low priority for them.
>       I know every operation is different - I just wanted to check with the 
> group before cranking up my level of indignation. =8^)
>
> WAS> Are your library systems all clean?
>
>       I believe them to be. I have a Snort-based network intrusion detection 
> system (using sguil) running with eight taps - and we subscribe to the Snort VRT 
> rules. That's on top of host-based intrusion (OSSEC) on all of our servers and 
> critical workstations. And centrallly-manged anti-virus (Kaspersky) on all 
> desktops.
>
> WAS> You don't seem to have your own ARIN allocation for wrl.org, so it's kinda
> WAS> hard to tell from here....
> WAS> 
> WAS> AS      | IP               | AS Name
> WAS> 4565    | 66.200.204.71    | MEGAPATH2-US - MegaPath Networks Inc.
>
>       Yes - while we handle our own DNS our ISP prefers to mask our ARIN 
> entry for (their) ease of management. I try to be the anti-salmon with this and 
> go WITH the flow...

A quick scan of the reverse mapping for your address space in DNS reveals
that you have basically your entire network on public addresses.  No wonder
you're worried about portscans when the printer down the hall and the
receptionists machine are sitting on public addresses.  I think you are
trying to secure your network from the wrong end here.

Marcus