RE: [fw-wiz] Log checking?

From: Desai, Ashish (Ashish.Desai_at_fmr.com)
Date: 09/29/04

  • Next message: Adam Shostack: "Re: [fw-wiz] Log checking?"
    To: "Paul D. Robertson" <paul@compuwar.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 28 Sep 2004 18:27:24 -0400
    
    

    I would recommend you also look at your web proxy logs.
    Especially for 'CONNECT' method (which is an SSL connection).
    There are too many people who have figured out how to
    ab(use) it. We are now also starting to see VPN software
    that is going to start using that method and at that point
    its pretty much game over.

    We have found very interesting things when CS interns start
    working at our company and they start using this channel to
    get to the outside. Besides its a lot of fun looking at
    what people are querying at google ;-)

    Ashish

    > -----Original Message-----
    > From: Paul D. Robertson [mailto:paul@compuwar.net]
    > Sent: Tuesday, September 28, 2004 4:05 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Log checking?
    >
    > Back when I had real production firewalls, I'd log all the permitted
    > traffic for a while, then do some analysis of the data to get a
    > feel for things like tunnels, misbehaving users, etc.
    >
    > I've always felt that worrying about denied traffic was
    > mostly for sport-
    > if the firewall's policy blocked it, I wasn't all that
    > worried about much
    > more than overall trends- what got *through* the firewall
    > seemed to be the
    > more interesting set of things.
    >
    > I'm just wondering if the subset of folks who actually look at their
    > firewalls mostly looks at denied traffic only, or if it's a common
    > practice to look at the permitted stuff too? If so, what
    > sorts of things
    > are you using, and are you finding anything interesting?
    >
    > Paul
    > --------------------------------------------------------------
    > ---------------
    > Paul D. Robertson "My statements in this message are
    > personal opinions
    > paul@compuwar.net which may have no basis whatsoever in fact."
    > probertson@trusecure.com Director of Risk Assessment
    > TruSecure Corporation
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Adam Shostack: "Re: [fw-wiz] Log checking?"