RE: [fw-wiz] Log checking?

From: hermit921 (hermit921_at_yahoo.com)
Date: 10/01/04

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Log checking?"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 01 Oct 2004 09:02:59 -0700
    
    

    We have found logging netbios traffic that hits the internal interface to
    be an excellent indicator of a machine gone bad. Good machines don't do
    that. If we had an IDS on the internal side to catch netbios traffic, I
    would be happy to discontinue logging such traffic on the firewall.

    We log everything that hits the firewall. Especially the stuff we block
    from the outside. We often have to prove our firewall isn't blocking
    traffic from a partner/customer - and it usually boils down to
    demonstrating the packets never got here or they are using the wrong port.

    hermit921

    At 06:35 PM 9/30/2004, FW Wizards Mailing List wrote:
    >While I've really enjoyed reading this communication regarding logging,
    >I'm a little concerned. I think that all incoming traffic that is
    >dropped should be logged. An accept for an incoming ftp request would
    >look legitimate, when logging drops would show that an attempt on a
    >blocked port took place prior to that "legitimate" ftp traffic.
    >Additionally, for legal purposes it would be important to have
    >documentation of all drops that a firewall had from a specific
    >destination. I don't think there is ever too much "noise." You need to
    >filter your logs to provide you with the information you need. I do
    >agree that it is vital to monitor your employee's behavior. The only
    >traffic that I wouldn't want to log is NetBIOS traffic, etc, being
    >dropped by the internal interface on the firewall. A proper IDS
    >configuration (one on the inside and one on the outside) will help you
    >to audit your security policy. Without proper logging, how can your
    >security policy be as effective as it could be? Personally, I'm all for
    >logs that will provide the information desired upon need. I'd hate not
    >to get enough information when it is needed from a firewall.

    [deleted]

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "RE: [fw-wiz] Log checking?"

    Relevant Pages

    • Re: Data Mining for PIX Firewall Logs
      ... Data Mining for PIX Firewall Logs ... > Can anyone here please suggest to me some type of logging and more ...
      (Pen-Test)
    • RE: [fw-wiz] Log checking?
      ... tend to evaluate where and what logging is important in a different light. ... I've been happy to analyze a year's worth of firewall denied logs, ... have denied firewall traffic logs or denied logs with any relevant data. ...
      (Firewall-Wizards)
    • Re: Audit logons from outside local ip range
      ... > implement a software firewall to track logon attempts from unauthorized IP ... > address as you can with Ipsec filtering policy, ... > give you the kind of logging you want and is more difficult to configure ... >> I know how to setup enabling logging successful and unsuccessful logins. ...
      (microsoft.public.windows.server.security)
    • Re: CheckPoint FireWall on Sun Netra X1 and/or T1 units
      ... >prefer the ipf based ones for clearer syntax, clearer logging, better ... As for "parsable logging": it could be better. ... It doesnt log in full ascii, ... eg: a real corporate-level firewall. ...
      (comp.security.firewalls)
    • RE: [fw-wiz] Log checking?
      ... While I've really enjoyed reading this communication regarding logging, ... filter your logs to provide you with the information you need. ... dropped by the internal interface on the firewall. ... A proper IDS ...
      (Firewall-Wizards)