Re: [fw-wiz] Log checking?

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Log checking?"
• In reply to: Paul D. Robertson: "[fw-wiz] Log checking?"
• Next in thread: Mark Tinberg: "Re: [fw-wiz] Log checking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Thu, 30 Sep 2004 23:23:10 +0530

On 28/09/04 16:05 -0400, Paul D. Robertson wrote:
> Back when I had real production firewalls, I'd log all the permitted
> traffic for a while, then do some analysis of the data to get a
> feel for things like tunnels, misbehaving users, etc.
>
> I've always felt that worrying about denied traffic was mostly for sport-
> if the firewall's policy blocked it, I wasn't all that worried about much
> more than overall trends- what got *through* the firewall seemed to be the
> more interesting set of things.
>
> I'm just wondering if the subset of folks who actually look at their
> firewalls mostly looks at denied traffic only, or if it's a common
> practice to look at the permitted stuff too? If so, what sorts of things
> are you using, and are you finding anything interesting?

Back when I was actually permitted to look at outbound traffic for non
diagnostic purposes, I found it useful to look more at the non denied
traffic than that which was denied. I wasn't really bothered with
outbound traffic at that time (given that I could see all the desktops
directly), but I was logging some inbound traffic.

For HTTP and FTP, I was analysing squid logs with custom Perl scripts.
For SMTP, the mail gateway logs. Lots of deny rules were generated from
this analysis (port 25 blocks on the edge routers allowing only the
official MTAs to go through generated quite a bit of logging too).

At that time, tunneling was not as popular and/or easy to the general
user population, so that was not a big worry.

Overall traffic analysis was via ntop. Since I was not logging NetBIOS
traffic (it just filled up the logs), ntop was useful in logging that
information as well. A spike in netbios traffic indicated interesting
events, for Chinese values of interesting.

A bit of SNMP helped as well in judging overall traffic volumes by
looking at the relevant switch ports (MRTG graphs).

At that point of time, I voiced the view that denied traffic was mostly
uninteresting and was roundly lambasted for it.

If I had to do it today, I would be worrying more about tunneling as
well, but proxies with connect support compiled out are quite useful in
stopping *that*.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Log checking?"
• In reply to: Paul D. Robertson: "[fw-wiz] Log checking?"
• Next in thread: Mark Tinberg: "Re: [fw-wiz] Log checking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]