RE: [fw-wiz] Log checking?
From: Luke Butcher (Luke.Butcher_at_alphawest.com.au)
To: "Marcus J. Ranum" <firstname.lastname@example.org> Date: Fri, 1 Oct 2004 11:01:17 +1000
>From: Marcus J. Ranum [mailto:email@example.com] Friday, 1 October 2004
>Luke Butcher wrote:
>>In this scenario I'm trusting the firewall to block all known bad.
>>Saves having to troll through all the traffic that gets past the
>>firewall, which is nearly all legitimate.
>Which is it? Do you trust your firewall to block ALL known bad and -
the result is "nearly all" legitimate?? Are you
>saying your trust in your firewall is misplaced? ;)
I was using the vernacular of Mr. Robertson with respect to firewalls
blocking known bad. My inclusion of the word ALL is erroneous, nothing
is absolute. Well there is this one vodka, but that's another story. I
have trust in the firewall to block things it considers bad in it's
perhaps limited view of the traffic(1).
It's the stuff it lets through that is more interesting was my point.
Take for example port 80 traffic a firewall (usually) considers this to
be 'good' traffic.
However more aware devices or people looking at this traffic may
consider otherwise. As suggested MOST is legitimate but the firewall
considers it ALL legitimate(1).
This is where logging permits is useful as per the original discussion.
My use of an IDS (in conjunction with other methods) is purely technique
for efficiency reasons. In my current role I am yet to find a single
customer with the conviction to security to commit the $$$ required to
do an exhaustive search regularly in an effort to find a needle in a
haystack. What they really want is a best effort to appease management
and shareholders, that they are committed to security however half assed
it may be.
The ones with the nouse to do it themselves don't need us so by
definition aren't customers.
(1) I am aware of firewalls capable of Layer 5,6,7 dissection and so
forth. However most Firewalls I see deployed currently are concerned
with layers 3 and 4.
firewall-wizards mailing list