RE: [fw-wiz] Log checking?

From: Larry Pitcher (pitcherl_at_bakerboyer.com)
Date: 09/30/04

  • Next message: Josh Welch: "Re: [fw-wiz] Pass-through VPN"
    To: "'Paul D. Robertson'" <paul@compuwar.net>, 'Luke Butcher' <Luke.Butcher@alphawest.com.au>
    Date: Thu, 30 Sep 2004 09:34:22 -0700
    
    

    Maybe this is too obvious to mention, but what I watch for in my firewall
    logs are denied connections trying to go from the inside to the Internet on
    closed ports. It gives me a look at misconfigured or infected PCs.

    Larry Pitcher

    Internet Product Manager
    Baker Boyer Bank
    509.526.1429
    pitcherl@bakerboyer.com

    -----Original Message-----
    From: Paul D. Robertson [mailto:paul@compuwar.net]
    Sent: Thursday, September 30, 2004 8:25 AM
    To: Luke Butcher
    Cc: firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] Log checking?

    On Wed, 29 Sep 2004, Luke Butcher wrote:

    > In this scenario I'm trusting the firewall to block all known bad. The
    > IDS is just a mechanism to sift the more 'interesting' stuff that's
    > gets THROUGH the firewall (from the outside).

    But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we
    don't know is good."

    Strategically, I'm less worried about find things that will be IDS
    signatures next month than I am about finding things that will never be IDS
    signatures. Yes, that's a lot of data to deal with, but it's the
    higher-cost threats in my view, such as the bad insider, strategic
    compromise, etc.

    > Saves having to troll through all the traffic that gets past the
    > firewall, which is nearly all legitimate. Alerts in this case would be

    Ah, but what I'm suggesting is that for emergent threats, that trolling is
    actually useful.

    > When everything's coming your way, you're in the wrong lane.

    Nah, it just means you're in a target rich environment ;)

    Paul
    ----------------------------------------------------------------------------
    -
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Josh Welch: "Re: [fw-wiz] Pass-through VPN"

    Relevant Pages

    • RE: Thinking about Security rules...
      ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
      (Vuln-Dev)
    • Re: Is IDS/IPS worthless?
      ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
      (Focus-IDS)
    • Re: IDS on Switched Networks
      ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
      (Focus-IDS)
    • Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
      ... > not have enough signatures to give you the sort of security you need. ... Why would you want a signature based IDS at all? ... Then use a firewall that only passes what is explicitly ... allowed and raises an alarm for everything that isn't. ...
      (Firewall-Wizards)
    • Gartner comments (was Re: Rather funny; looks like page defacement to me)
      ... All IDS systems produce falses. ... In fact, all network security ... firewall monitoring long before they deployed their first IDS. ... Gartner, you really missed the boat on this one. ...
      (Focus-IDS)