Re: [fw-wiz] Pix 535 Logging
- From: "Behm, Jeffrey L." <BehmJL@xxxxxx>
- Date: Wed, 8 Nov 2006 11:12:07 -0600
MJR-like Rant: Best practices would include blocking *everything*
outbound that you don't explicitly want going out. In an educational
environment, you might not be able to block, but in a corporate
environment you should be able to. At a minimum, logging this traffic
can help you understand where you might need to block. Doing this helps
prevent your internal machines from being poor "net neighbors" and
blindly infecting others.
In response to the OP, you could allow your known email servers in a
rule that doesn't log, and then have a second rule that (allows or
denies based on your policy/environment), but log entries that match
this rule.
________________________________
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
David Swafford
Sent: Wednesday, November 08, 2006 9:58 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] Pix 535 Logging
Have you thought about just blocking all outbound port 25
connections except for your authorized MX and mail servers? We did that
at my company about a year back and eliminated the problem of infected
machines flooding spam out from our network.
Just a thought,
David.
____________________________________________________
David A. Swafford, Network Engineer
Information Technology Team
Archbishop Alter High School
EC-Council Certified Ethical Hacker
A Cisco Systems, Inc., Certified Network Associate (CCNA)
and a CompTIA Network+ and Security+ Certified Professional
<mailto:dswafford@xxxxxxxxxxxxxxxxxxx>
>>> james.burns@xxxxxxxxxxxxxxxx 11/8/2006 5:50 am >>>
Hi,
I have a quick question regarding logging on a Pix 535.
We're currently getting a lot of CERT notifications for spammers
operating within our network - mainly just students with 0wned
machines,
but we're looking into ways to automate the procedure slightly.
Anyway, what I'm looking to do, and what I need help with.... I
want to
know if it's possible to log all outbound port 25 connection
attempts,
EXCEPT those that come from our authorised MX's and mail
servers. AND I
would like to be able to do this in addition to the normal
logging that
takes place.
So, is it possible?
Any thoughts and guidance you can provide are very much
appreciated.
Cheers,
James
--
James Burns
Network Advisor - Student & Learning Support
University of Sunderland
--
University of Sunderland - life-changing: see our new TV advert
at
http://www.lifechangingsunderland.com or
http://www.sunderland.ac.uk
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
______________________________________________________
Founded in Faith - Preserved with Pride - Sustained by Spirit
______________________________________________________
Upcoming Events:
ALTER OPEN HOUSE
November 16
7 - 9 p.m.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: Re: [fw-wiz] Pix 535 Logging
- Next by Date: Re: [fw-wiz] firewall-wizards Digest, Vol 7, Issue 4
- Previous by thread: Re: [fw-wiz] Pix 535 Logging
- Next by thread: Re: [fw-wiz] Communication Device Protocols from Externalrouter d irectthrough Firewall
- Index(es):
Relevant Pages
|
