Just a quick straw poll to see if anyone has any hard data that supports the logging and analysis of traffic that bounces off of filtering devices as part of a business security plan ? Other than generating attack metrics to wave under the noses of senior managment at budget time, is there any definite _business_ requirement to have IDS sensors outside the firewall or firewall "drop" logs et al regularly examined in the context of "external" attack sources ? "We defended against X bazillion hack attacks last year so we need a bigger budget for more stuff.." BableFish (H2G2 version) : "Tons of port scans and worms from non accountable netblocks bounced off of the firewall" I don't bother to chase anything from anywhere unless it makes it through the filters because I could care less and it would IMHO purely be a time sink and even then only if it's from a netblock that has a whois abuse@ entry. As I said, this is purely my own view, on my own network knowing the sheer amount of background radiation on the internet, so I would appreciate some other points of view. Cheers. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 09:37:21 PDT