Re: [fw-wiz] Log checking?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 09/30/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Log checking?" 
    To: firewall-wizards@honor.icsalabs.com
Date: Thu, 30 Sep 2004 11:36:27 -0400 (EDT)

    On Tue, 28 Sep 2004, Paul D. Robertson wrote:

    [Summarizing off-list replies]

    Mainly, people feel that summarizing denied traffic shows the firewall has
    value. They also thought it was a useful measure of probe activity.

    We had one respondent who was reviewing rulesets to nuke old rules that
    weren't being hit anymore- a bright spot in my day, since I don't think
    most places review rules often enough.

    Someone had a firewall that didn't log allowed traffic normally, and they
    had to jump through hoops to get that data- to me that's a firewall buying
    point that'd kill a product for me.

    Everyone who had outbound rules mentioned tracking down worms and poorly
    configured machines. I tended to screen my firewalls from the inside too-
    probably because I was too grumpy about what sort of things were allowed
    in e-mail to want to spend time fixing the downstream effects ;)

    One respondent had a tool to run logs through and match with proposed rule
    changes- that sounds like a singular lifesaver to me- I want one- that
    works for several firewall types!

    Another person was worried that most admins don't have the skills to
    analyze the data- probably a way too valid point.

    Mostly it seems like folks roll their own perl code to analyze logs- but
    the self-selected sample is looking at the logs- another bright spot!

    After yesterday's CSI/FBI survey presentation, I needed something good-
    there's enough holes to drive a truck through, and I'm pretty convinced
    that it's a good counter-example for "anything is better than nothing."
    *sigh*

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Log checking?"

    Relevant Pages

    • Re: [fw-wiz] Discretionary WiFi Access
      ... Paul D. Robertson wrote: ... It is wide open and I simply monitor port usage to keep an eye ... > Paul D. Robertson "My statements in this message are personal opinions ... The access point is outside of our firewall, ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Question about setting up PIX firewall
      ... > I would strongly disagree Paul. ... firewall there ... > amount of access while the user is connected to the vpn. ... But if you could find a client *and* compromise it, ...
      (Firewall-Wizards)
    • Re: how to share internet connection in fedora
      ... Dear Paul, the first answer stile "if you don´t really tell us WHAT you need, we cannot provide you any kind of solution" was and is perfectly acceptable. ... > there is a basic firewall configuration utility in the distro. ... >> can u plz explain me how to share internet connection in fedora os ... > the machinations of the wicked." ...
      (Fedora)
    • Re: redirection on network
      ... Paul T. ... I guess this is a question for the XP-firewall people. ... CE can access the XP box with no firewall and can access w2003s and vista ...
      (microsoft.public.windowsce.embedded)
    • Re: [fw-wiz] Opinion: Worst interface ever.
      ... Paul D. Robertson wrote: ... That's a chip-head thing, Paul. ... By re-ordering the ruleset the firewall can evaluate the ... When I suggested that they optimize the "deny all" default deny to the ...
      (Firewall-Wizards)