RE: [fw-wiz] Log checking?

From: Luke Butcher (Luke.Butcher_at_alphawest.com.au)
Date: 09/29/04

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Log checking?" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Wed, 29 Sep 2004 09:00:31 +1000

     
    It's for this reason I always setup IDS(ii?) inside the firewall. I'm
    only worried about what gets through, what's blocked is history.

    It also has the nice side effect of monitoring what people inside your
    network are up to. Which for all practical purposes are the only ones
    you can actually do anything about.

    Sometimes if there is no IDS in place (or even if there is depending on
    the client), I'll log permits on the firewall but only on more generic
    rules e.g. allow inside to ftp to anywhere. Logging everything can
    generate too much data, and your signal to noise ratio drops meaning you
    might miss something.

    Luke Butcher
    Network/Security Consultant
    Alphawest Services Pty Ltd
    www.alphawest.com.au

    IBM: Incredibly Bullying Menace

    -----Original Message-----
    From: Paul D. Robertson [mailto:paul@compuwar.net]

    I'm just wondering if the subset of folks who actually look at their
    firewalls mostly looks at denied traffic only, or if it's a common
    practice to look at the permitted stuff too? If so, what sorts of
    things are you using, and are you finding anything interesting?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Log checking?"