RE: [fw-wiz] Log checking?
From: Rodel Collado Urani (sparc_at_ucomputer.org)
Date: 09/29/04
- Previous message: Ben Nagy: "RE: [fw-wiz] Log checking?"
- Maybe in reply to: Paul D. Robertson: "[fw-wiz] Log checking?"
- Next in thread: Fiamingo, Frank: "RE: [fw-wiz] Log checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: luke.butcher@alphawest.com.au, paul@compuwar.net Date: Wed, 29 Sep 2004 04:23:40 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 28 Sep 2004 18:12:11 -0700 "Paul D. Robertson" <paul@compuwar.net>
wrote:
>On Wed, 29 Sep 2004, Luke Butcher wrote:
>
>> It's for this reason I always setup IDS(ii?) inside the firewall.
>I'm
>> only worried about what gets through, what's blocked is history.
>>
>
>That's still pretty much logging "known bad" though, isn't it?
>Heck, if
>it's known bad, I want to stop it, not alert on it. Blocked getting
>ignored was pretty much my default too, since we had enough attacks
>a day
>that following up would have taken at least one person, maybe more.
>
>> It also has the nice side effect of monitoring what people inside
>your
>> network are up to. Which for all practical purposes are the only
>ones
>> you can actually do anything about.
Its good thing to monitor all servers running critical applications but
doing this requires too much work unless there is someone tasked on looking
every possible security breaches. Since email has been always considered
a necessity for everyone handling systems and network admin (SNA) then
one thing that may lessen work than just monitoring every activities
that the system may occur is by setting an email relay on every servers
that may alert and administrator whatever is happening in those servers
such as unauthorized icmp packets, spam, et al.
>
>Well, that's one of my reasons for doing permits- more fun to be
>had
>LARTing the lusers.
>
>> Sometimes if there is no IDS in place (or even if there is depending
>on
>> the client), I'll log permits on the firewall but only on more
>generic
>> rules e.g. allow inside to ftp to anywhere. Logging everything
>can
>> generate too much data, and your signal to noise ratio drops meaning
>you
>> might miss something.
>
>I didn't constantly monitor everything, but I'd do it as a routine.
> I
>also felt that it would help me make a "routine process" case if
>we ever
>got challenged for a dismissal.
>
>Paul
>----------------------------------------------------------------
>-------------
>Paul D. Robertson "My statements in this message are personal
>opinions
>paul@compuwar.net which may have no basis whatsoever in fact."
>probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
RODEL COLLADO URANI
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkFbb/QACgkQQ7QUZrvBIZ22ygCgoX4dzR50IDnc9jxUs49FbRv9YUAA
oITIkTI7bZSUHWlN5SlHpNFP73x6
=zMG+
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Ben Nagy: "RE: [fw-wiz] Log checking?"
- Maybe in reply to: Paul D. Robertson: "[fw-wiz] Log checking?"
- Next in thread: Fiamingo, Frank: "RE: [fw-wiz] Log checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
