RE: [fw-wiz] Log checking?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 09/29/04

  • Next message: R. DuFresne: "Re: [fw-wiz] The Mathematics of Relative Security" 
    To: Luke Butcher <Luke.Butcher@alphawest.com.au>
Date: Tue, 28 Sep 2004 21:12:11 -0400 (EDT)

    On Wed, 29 Sep 2004, Luke Butcher wrote:

    > It's for this reason I always setup IDS(ii?) inside the firewall. I'm
    > only worried about what gets through, what's blocked is history.
    >

    That's still pretty much logging "known bad" though, isn't it? Heck, if
    it's known bad, I want to stop it, not alert on it. Blocked getting
    ignored was pretty much my default too, since we had enough attacks a day
    that following up would have taken at least one person, maybe more.

    > It also has the nice side effect of monitoring what people inside your
    > network are up to. Which for all practical purposes are the only ones
    > you can actually do anything about.

    Well, that's one of my reasons for doing permits- more fun to be had
    LARTing the lusers.

    > Sometimes if there is no IDS in place (or even if there is depending on
    > the client), I'll log permits on the firewall but only on more generic
    > rules e.g. allow inside to ftp to anywhere. Logging everything can
    > generate too much data, and your signal to noise ratio drops meaning you
    > might miss something.

    I didn't constantly monitor everything, but I'd do it as a routine. I
    also felt that it would help me make a "routine process" case if we ever
    got challenged for a dismissal.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: R. DuFresne: "Re: [fw-wiz] The Mathematics of Relative Security"

    Relevant Pages

    • "Ax Men" returns to History Channel
      ... The AX MEN Are Back Returning Monday, March 2 at 10PM ET/PT on HISTORY ... Land and Sea on the Original Loggers ... series about the treacherous life of Pacific Northwest timber cutters, ... whom are members of logging families who go back to the time when the ...
      (rec.arts.tv)
    • Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
      ... > Paul D. Robertson wrote: ... It's not an argument against logging, ... It doesn't matter that you can't do it perfectly, ... that you don't store everything as a matter of course. ...
      (Firewall-Wizards)
    • Re: logging out directly after logging in
      ... >> logging in, the server automagically and immediatly ends the login by ... I've used psinfo, and your correct about your last assumption. ... Tnx again, Paul ...
      (microsoft.public.windows.server.general)
    • Re: [SLE] Restarting the X server under KDE
      ... On Wednesday 31 December 2003 16:15 pm, Paul W. Abrahams wrote: ... If you mean "is there a way to do it without logging out" then you can ... Check the headers for your unsubscription address ...
      (SuSE)
    • Re: [SLE] Restarting the X server under KDE
      ... On Wed, 2003-12-31 at 16:15, Paul W. Abrahams wrote: ... > logging in again? ... The reason for this is that all the processes, ...
      (SuSE)