Re: [fw-wiz] Log checking?

From: Kevin (KKadow_at_gmail.com)
Date: 10/01/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Filter routers? (was Re:logs)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 30 Sep 2004 22:27:42 -0500
    
    

    On Thu, 30 Sep 2004 20:35:14 -0500, FW Wizards Mailing List
    <fw-wizards@danschmitz.com> wrote:
    > While I've really enjoyed reading this communication regarding logging,
    > I'm a little concerned. I think that all incoming traffic that is
    > dropped should be logged. An accept for an incoming ftp request would
    > look legitimate, when logging drops would show that an attempt on a
    > blocked port took place prior to that "legitimate" ftp traffic.
    > Additionally, for legal purposes it would be important to have
    > documentation of all drops that a firewall had from a specific
    > destination. I don't think there is ever too much "noise." You need to
    > filter your logs to provide you with the information you need. I do
    > agree that it is vital to monitor your employee's behavior. The only
    > traffic that I wouldn't want to log is NetBIOS traffic, etc, being
    > dropped by the internal interface on the firewall. A proper IDS
    > configuration (one on the inside and one on the outside) will help you
    > to audit your security policy. Without proper logging, how can your
    > security policy be as effective as it could be? Personally, I'm all for
    > logs that will provide the information desired upon need. I'd hate not
    > to get enough information when it is needed from a firewall.

    This depends greatly on the scale of your infrastructure -- My
    outbound firewall logs for permitted traffic exceed six gigabytes per
    day.

    As of last week, 75% of the lines logged by by inbound firewall events
    were worm traffic on the standard microsoft file sharing ports.

    As of this week, we have added simple deny ACLs on the inbound edge
    routers to silently drop traffic towards these ports, so I can once
    again run a full day's worth of logs through my Perl analysis scripts
    without thrashing swap due to running out of RAM.

    KevinK
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: [fw-wiz] Filter routers? (was Re:logs)"

    Relevant Pages

    • RE: [fw-wiz] Log checking?
      ... tend to evaluate where and what logging is important in a different light. ... I've been happy to analyze a year's worth of firewall denied logs, ... have denied firewall traffic logs or denied logs with any relevant data. ...
      (Firewall-Wizards)
    • Possible Compromise - Need Suggestions
      ... I've set up my firewall to log but accept outbound traffic to ... at this but a quick browse through the logs showed my box was also trying ... port 21 on this IP. ... Set up an iptables firewall blocking and logging all incoming traffic and ...
      (comp.os.linux.security)
    • RE: [fw-wiz] Log checking?
      ... While I've really enjoyed reading this communication regarding logging, ... filter your logs to provide you with the information you need. ... dropped by the internal interface on the firewall. ... A proper IDS ...
      (Firewall-Wizards)
    • RE: Data Mining for PIX Firewall Logs
      ... Data Mining for PIX Firewall Logs ... Fast forward to my current company, which went with a Cisco PIX ... Can anyone here please suggest to me some type of logging and more ...
      (Pen-Test)
    • Re: Strange WAN Activity
      ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
      (microsoft.public.win2000.security)