comp.security.firewalls archive
Re: A Question about FireWall logging
Date: Thu Mar 30 2006 - 07:27:52 CEST
Moe Trin wrote:
> On 29 Mar 2006, in the Usenet newsgroup comp.security.firewalls, in article
> <1143665963.464453.19250@e56g2000cwe.googlegroups.com>, carkaci@gmail.com
> wrote:
>
>
>>Dear Moe Trin, to make it clear,
>>you think "In general, there is no need to enable full logging, most of
>>the time accepted packet logging is enough". Am i right?
>
>
> Yup - the less work spent blocking, the better off you are. "The bad guy"
> isn't getting in - that particular battle is over. There is no Internet
> Police, and nothing else you can (or need to) do.
Logging blocks at the perimeter can be useful for research purposes -
for example a spike in probes to a specific port may indicate a zero-day
exploit is being developed.
In general I agree one is best served by minimising resources expended
to attenuate Internet noise - however the OP did not stipulate that his
question pertained to a perimeter firewall. Internal "bad guys" need to
be tracked down and dealt with, so logging configuration of internal
firewalls is an entirely different matter.
Triffid
Received on Mon May 1 01:03:29 2006