Re: [fw-wiz] Pix 535 Logging



MJR-like Rant: Best practices would include blocking *everything*
outbound that you don't explicitly want going out. In an educational
environment, you might not be able to block, but in a corporate
environment you should be able to. At a minimum, logging this traffic
can help you understand where you might need to block. Doing this helps
prevent your internal machines from being poor "net neighbors" and
blindly infecting others.

In response to the OP, you could allow your known email servers in a
rule that doesn't log, and then have a second rule that (allows or
denies based on your policy/environment), but log entries that match
this rule.


________________________________

From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
David Swafford
Sent: Wednesday, November 08, 2006 9:58 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] Pix 535 Logging


Have you thought about just blocking all outbound port 25
connections except for your authorized MX and mail servers? We did that
at my company about a year back and eliminated the problem of infected
machines flooding spam out from our network.

Just a thought,

David.

____________________________________________________


David A. Swafford, Network Engineer
Information Technology Team
Archbishop Alter High School

EC-Council Certified Ethical Hacker

A Cisco Systems, Inc., Certified Network Associate (CCNA)
and a CompTIA Network+ and Security+ Certified Professional
<mailto:dswafford@xxxxxxxxxxxxxxxxxxx>


>>> james.burns@xxxxxxxxxxxxxxxx 11/8/2006 5:50 am >>>
Hi,

I have a quick question regarding logging on a Pix 535.

We're currently getting a lot of CERT notifications for spammers

operating within our network - mainly just students with 0wned
machines,
but we're looking into ways to automate the procedure slightly.

Anyway, what I'm looking to do, and what I need help with.... I
want to
know if it's possible to log all outbound port 25 connection
attempts,
EXCEPT those that come from our authorised MX's and mail
servers. AND I
would like to be able to do this in addition to the normal
logging that
takes place.

So, is it possible?

Any thoughts and guidance you can provide are very much
appreciated.

Cheers,
James

--
James Burns

Network Advisor - Student & Learning Support
University of Sunderland



--
University of Sunderland - life-changing: see our new TV advert
at
http://www.lifechangingsunderland.com or
http://www.sunderland.ac.uk
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards






______________________________________________________

Founded in Faith - Preserved with Pride - Sustained by Spirit
______________________________________________________


Upcoming Events:
ALTER OPEN HOUSE
November 16
7 - 9 p.m.



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Windows 2008 IPv6
    ... But for future planning i think you should always start the better way, to prevent yourself to reconfigure everything, when it comes to the point that your network grow up. ... So in the new environment I have 2 dell poweredge servers running ... I building the 2008 environment from scratch.. ... with that subnet mask you have a really big broadcast domain ...
    (microsoft.public.windows.server.networking)
  • I need Job Blobb
    ... I am a systems and network administrator looking for a ... Windows and Network administratation. ... In a job I would like to administrate servers, ... environment, creation ...
    (microsoft.public.cert.exam.mcse)
  • Test Network reccomendation
    ... I would like to setup a test network environment for application ... that our applications touch. ... servers, two sql servers all under one domain and a file server/sql server ... I am thinking that building a test environment with names identical to the ...
    (microsoft.public.windows.server.networking)
  • Migrating IP Subnets in AD (Windows Server 2003)
    ... I have an existing Windows Server 2003 Active Directory environment, ... network with the IP address configuration 10.0.200.0/24 and this subnet is ... defined within the AD and both of the servers have IP addresses within this ... I now need to migrate this environment from the 10.0.200.0/24 network to the ...
    (microsoft.public.windows.server.active_directory)
  • Migrating AD (Windows Server 2003) from one Subnet to Another
    ... I have an existing Windows Server 2003 Active Directory environment, ... network with the IP address configuration 10.0.200.0/24 and this subnet is ... defined within the AD and both of the servers have IP addresses within this ... I now need to migrate this environment from the 10.0.200.0/24 network to the ...
    (microsoft.public.windows.server.networking)