RE: [fw-wiz] Log checking?
From: Larry Pitcher (pitcherl_at_bakerboyer.com)
Date: 09/30/04
- Previous message: firewalladmin_at_bellsouth.net: "[fw-wiz] DMZ Ideas"
- Maybe in reply to: Paul D. Robertson: "[fw-wiz] Log checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Paul D. Robertson'" <paul@compuwar.net>, 'Luke Butcher' <Luke.Butcher@alphawest.com.au> Date: Thu, 30 Sep 2004 09:34:22 -0700
Maybe this is too obvious to mention, but what I watch for in my firewall
logs are denied connections trying to go from the inside to the Internet on
closed ports. It gives me a look at misconfigured or infected PCs.
Larry Pitcher
Internet Product Manager
Baker Boyer Bank
509.526.1429
pitcherl@bakerboyer.com
-----Original Message-----
From: Paul D. Robertson [mailto:paul@compuwar.net]
Sent: Thursday, September 30, 2004 8:25 AM
To: Luke Butcher
Cc: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Log checking?
On Wed, 29 Sep 2004, Luke Butcher wrote:
> In this scenario I'm trusting the firewall to block all known bad. The
> IDS is just a mechanism to sift the more 'interesting' stuff that's
> gets THROUGH the firewall (from the outside).
But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we
don't know is good."
Strategically, I'm less worried about find things that will be IDS
signatures next month than I am about finding things that will never be IDS
signatures. Yes, that's a lot of data to deal with, but it's the
higher-cost threats in my view, such as the bad insider, strategic
compromise, etc.
> Saves having to troll through all the traffic that gets past the
> firewall, which is nearly all legitimate. Alerts in this case would be
Ah, but what I'm suggesting is that for emergent threats, that trolling is
actually useful.
> When everything's coming your way, you're in the wrong lane.
Nah, it just means you're in a target rich environment ;)
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: firewalladmin_at_bellsouth.net: "[fw-wiz] DMZ Ideas"
- Maybe in reply to: Paul D. Robertson: "[fw-wiz] Log checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
