Re: Odd scans and stuff bouncing off firewalls

From: Greg A. Woods (woods@weird.com)
Date: 08/13/02


From: woods@weird.com (Greg A. Woods)
To: "Nexus" <nexus@patrol.i-way.co.uk>
Date: Tue, 13 Aug 2002 14:54:41 -0400 (EDT)


[ On Tuesday, August 13, 2002 at 16:57:31 (+0100), Nexus wrote: ]
> Subject: Odd scans and stuff bouncing off firewalls
>
> Just a quick straw poll to see if anyone has any hard data that supports the
> logging and analysis of traffic that bounces off of filtering devices as
> part of a business security plan ? Other than generating attack metrics to
> wave under the noses of senior managment at budget time, is there any
> definite _business_ requirement to have IDS sensors outside the firewall or
> firewall "drop" logs et al regularly examined in the context of "external"
> attack sources ?

I should hope not. ;-)

Any such _business_ requirement would be sadly and sorely misguided.

> I don't bother to chase anything from anywhere unless it makes it through
> the filters because I could care less and it would IMHO purely be a time
> sink and even then only if it's from a netblock that has a whois abuse@
> entry.

I agree with you entirely!

Filter logs are mostly merely an interesting time diversion when one is
bored because one's firewall defenses have proven to be sufficiently
impenetrable, and they are otherwise only an optional way to prop up any
budget requests (i.e. to assure upper management that the Big Bad
Internet is still a wild and wooly place and that a good defense is
still an absolute requirement for participating in it when any aspects
of one's business might be placed at risk by such participation).

(This is assuming of course that any IDS mechanisms used to detect
flooding style attacks is separate from firewall filter logs.)

-- 
								Greg A. Woods

+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Firewall recommendation
    ... that a NAT router provides BASIC firewall capability, ... would not use a consumer-grade firewall/router to protect our own ... networks, nor would we recommend one to our clients, which in turn ... my 6 client business is running with a consumer ...
    (microsoft.public.windows.server.sbs)
  • Re: Suggest firewall for Win98se+ICS(dialup)+NAV
    ... to go out and buy all new boxes capable of running Win 2000 Pro or Win XP ... |> either disable the firewall or otherwise change its settings. ... vulnerability in a small business environment is from the inside, ... Any disgruntled Win 98 SE user can obviously walk in and install something ...
    (comp.security.firewalls)
  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
    (Full-Disclosure)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)
  • Re: Can I protect myself against network attacks?
    ... > I guess that was one purpose of the attack. ... > had happened if you just used the SP2 firewall which does not warn you ... back, I've seen the firewall crash before my eyes, without warning. ... network attacks, or trojans. ...
    (comp.security.firewalls)