Re: [fw-wiz] Log checking?
From: Mark Tinberg (mtinberg_at_securepipe.com)
Date: 10/01/04
- Previous message: Jim Seymour: "Re: [fw-wiz] SMTP forwarding question"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Log checking?"
- Next in thread: Stephen P. Berry: "Re: [fw-wiz] Log checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Paul D. Robertson" <paul@compuwar.net> Date: Thu, 30 Sep 2004 19:21:33 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 30 Sep 2004, Paul D. Robertson wrote:
> On Thu, 30 Sep 2004, Mark Tinberg wrote:
>
>>> I've always felt that worrying about denied traffic was mostly for sport-
>>> if the firewall's policy blocked it, I wasn't all that worried about much
>>> more than overall trends- what got *through* the firewall seemed to be the
>>> more interesting set of things.
>>
>> I'd agree that this is true for traffic denied incoming from the big, bad
>> Internet but not true for traffic denied from within your organization.
>
> So, my direct experience leads me to conclude that the biggest problems
> I've seen have all been from the allowed vector- and the organizations
> which were hit were all looking only at the denied traffic. In every
> case, we checked firewall logs, and I don't recall that ever bringing any
> value for places that logged only blocked traffic.
I spoke badly previously and do not disagree with you. I merely wanted to
point out that deny logs are not entirely valueless, I did not want to
imply that they are more valuable than accept logs or that one should view
them in preference to accept logs.
I do find though that accept logs are much more tricky to get valuable
information out of. An individual firewall might have tens or hundreds of
thousands of log lines per day may of which are only packet filter logs.
It's much easier to look at the deny logs, point and say "Look at all this
bad stuff we are detecting/blocking", esp. when you can send the staff off
to fix various broken machines that they otherwise wouldn't know about.
- --
Mark Tinberg <MTinberg@securepipe.com>
Staff Engineer, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFBXKMPFu7F5OUjbGcRAj++AKCAI4SJD0l5mzi15mvus/T6nQ1nKQCgvPpk
OjwkAQWwv6kVsZ79Ms0Qx/w=
=frm2
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jim Seymour: "Re: [fw-wiz] SMTP forwarding question"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Log checking?"
- Next in thread: Stephen P. Berry: "Re: [fw-wiz] Log checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
