Re: IDS logs vs FW1 logs

From: Chris Wilkes (cwilkes@ladro.com)
Date: 10/16/01


Date: Tue, 16 Oct 2001 10:09:00 -0700 (PDT)
From: Chris Wilkes <cwilkes@ladro.com>
To: security-basics@securityfocus.com
Subject: Re: IDS logs vs FW1 logs
Message-ID: <Pine.LNX.4.10.10110161005490.30321-100000@cjw.depechecode.com>

On Mon, 15 Oct 2001 themac@iinet.net.au wrote:

> In regards to external connections and access log montitoring, what/would
> there be a reason to monitor your FW logs if you already have an IDS and
> logging in place on that system??

Just a quick off the cuff answer: to make sure both of them are working as
advertised. Also for your own sanity and knowledge about the system. See
how both the programs work and make sure that they are reporting the same
incidents.

It does initially seem that you're doubling your work but after becoming
familiar with both reporting you'll gain more of a knowledge of what's
going on.

What if one of the reporting tools was compromised? You'll be able to see
that with one of the products reporting a breakin while the other is
silent.

What if there is a new hack out? Your firewall might miss it but the IDS
doesn't, or vice versa.

In short: having multiple logs of nearly the same thing is a good thing,
you'll be able to spot irregular events more easily.

Chris