Re: A Question about FireWall logging

"Duane Arnold" <NotME@NotME.com> wrote in message
news:xJrWf.7983$x94.7162@newsread1.news.pas.earthlink.net...
>
> <carkaci@gmail.com> wrote in message
> news:1143620311.437436.165310@g10g2000cwb.googlegroups.com...
>> In our company, we enable only the ACCEPTED packet logging (cisco
>> firewall) ? I wonder the advantage of deny or rejected pakets logging
>> also i.e. (full logging). Any idea ? What type of analysis can be done
>> at that time?
>>
>
> I would think the ability to get a total picture of all traffic hitting
> the FW that's being rejected. I particularly like to keep track or keep
> an eye on remote IP(s) the same IP coming at the FW numerous times and run
> analysis reporting on how many times the same IP is coming at the FW by
> day, week and month. I have not done it that often maybe 3 or 4 times
> that I have set a rule on my Watchguard that I denied specific IP(s) that
> were coming just a little to hard, even if the unsolicited traffic was
> being rejected by the FW. It's just me, but I don't like flying half blind
> and want to see all aspects of what's happening from time to time.
>
> Duane :)

I'm in basic agreement although the volume of incoming denied traffic at
some places makes it impractical to do for very long (ie, a gigabyte of log
data every two or three hours). To some degree it doesn't matter because if
it's dropped it's out of your hair but there are indeed useful bits of info
to be gleaned from it. I like to log it, analyse it, then dump the raw data
and keep the reports, when that infrastructure exists.

However sometimes dropped data that is *outbound* is very, very useful. In
other words, what are your PC's doing that they shouldn't be? I find this
data is almost always relavent, in places with a positive permit / default
deny outbound model, which is my preferance.

-Russ.
Received on Mon May 1 01:03:17 2006