Re: A Question about FireWall logging

On 31 Mar 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1143819598.162401.23900@z34g2000cwc.googlegroups.com>, rick@bcm.tmc.edu wrote:

>IIRC, the original question was whether or not
>to log rejects as well as accepts on a firewall.

[quote]

In our company, we enable only the ACCEPTED packet logging (cisco
firewall) ? I wonder the advantage of deny or rejected pakets logging
also i.e. (full logging). Any idea ? What type of analysis can be done
at that time?

[\quote]

>The OP never stated that this was not a perimeter firewall BTW

I interpreted the above as being a perimeter firewall.

>However, it may be useful to log some forms of rejects just to keep track
>of what is out there.

As mentioned in the response to Russ, we to monitor the _outbound_ stuff,
just to make sure policy isn't being violated. Inbound rejects are ignored
unless there is a reported problem.

>DSHIELD works by having people send them their firewall logs so events
>can be correlated across multiple organizations to determine active
>attack patterns.

Prohibited by company policies. At home, I rarely bother wasting CPU
cycles or RAM logging stuff - it's only a clapped out 386SX, and doesn't
have all at much attention anyway because I offer _no_ network services
to the public.

>It is also useful to log rejects to see for ourselves what is going on
>out there.
>
>There are certain classes of logs that you do not need to log, such as
>Microsoft netbios traffic and inbound SQL. This type of traffic is so
>massive that it can affect FW performance to log it.

Hit the nail on the head there. I don't run windoze, so crap that is
targeting windoze is absolutely of no interest to me. I see enough of the
skript kiddiez and zombies knocking on the SSH port that I had to move my
server to a less commonly probed port, and finally to switch over to a
port-knocking scheme.

        Old guy
Received on Mon May 1 01:03:59 2006