RE: [fw-wiz] Log checking?

From: Luke Butcher (Luke.Butcher_at_alphawest.com.au)
Date: 10/01/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] DMZ Ideas" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Fri, 1 Oct 2004 11:01:17 +1000

    >From: Marcus J. Ranum [mailto:mjr@ranum.com] Friday, 1 October 2004
    10:23 AM

    >Luke Butcher wrote:
    >>In this scenario I'm trusting the firewall to block all known bad.

    >[...then...]

    >>Saves having to troll through all the traffic that gets past the
    >>firewall, which is nearly all legitimate.

    >Which is it? Do you trust your firewall to block ALL known bad and -
    the result is "nearly all" legitimate?? Are you
    >saying your trust in your firewall is misplaced? ;)

    My apologies,

    I was using the vernacular of Mr. Robertson with respect to firewalls
    blocking known bad. My inclusion of the word ALL is erroneous, nothing
    is absolute. Well there is this one vodka, but that's another story. I
    have trust in the firewall to block things it considers bad in it's
    perhaps limited view of the traffic(1).
    It's the stuff it lets through that is more interesting was my point.

    Take for example port 80 traffic a firewall (usually) considers this to
    be 'good' traffic.
    However more aware devices or people looking at this traffic may
    consider otherwise. As suggested MOST is legitimate but the firewall
    considers it ALL legitimate(1).

    This is where logging permits is useful as per the original discussion.
    My use of an IDS (in conjunction with other methods) is purely technique
    for efficiency reasons. In my current role I am yet to find a single
    customer with the conviction to security to commit the $$$ required to
    do an exhaustive search regularly in an effort to find a needle in a
    haystack. What they really want is a best effort to appease management
    and shareholders, that they are committed to security however half assed
    it may be.
    The ones with the nouse to do it themselves don't need us so by
    definition aren't customers.

    (1) I am aware of firewalls capable of Layer 5,6,7 dissection and so
    forth. However most Firewalls I see deployed currently are concerned
    with layers 3 and 4.

    Luke Butcher
    www.alphawest.com.au

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] DMZ Ideas"

    Relevant Pages

    • Re: Remote access
      ... I've know a few *former* employees that thought doing so was legitimate. ... A serious admin should take the time do explain the security implications to ... control over the user piercing the firewall. ...
      (Fedora)
    • cisvc.exe What to do?
      ... My firewall is warning me that MS CISVC.exe is trying to start a process. ... I've checked and this is legitimate MS process in the correct directory, ...
      (microsoft.public.windowsxp.perform_maintain)
    • Re: Windows Firewall Has A Backdoor
      ... The firewall asks you should it allow ... >>time so they can analyse processes to determine if they are legitimate ... incoming protection a software firewall provides. ... may be being interfered with or modified by a trojan or virus.. ...
      (comp.security.firewalls)
    • Re: Windows Firewall Has A Backdoor
      ... The firewall asks you should it allow ... >>time so they can analyse processes to determine if they are legitimate ... incoming protection a software firewall provides. ... may be being interfered with or modified by a trojan or virus.. ...
      (alt.computer.security)
    • Re: can sasser& Blaster get to the computer?
      ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
      (microsoft.public.windowsxp.network_web)