Re: Odd scans and stuff bouncing off firewalls

From: Greg A. Woods (woodsat_private)
Date: Tue Aug 13 2002 - 11:54:41 PDT

Next message: Greg A. Woods: "RE: Odd scans and stuff bouncing off firewalls"

Previous message: H C: "RE: Subseven Scans"
In reply to: Nexus: "Odd scans and stuff bouncing off firewalls"
Next in thread: Edwards, David (JTS): "RE: Odd scans and stuff bouncing off firewalls"
Next in thread: Robert Buckley: "RE: Subseven Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ On Tuesday, August 13, 2002 at 16:57:31 (+0100), Nexus wrote: ]
> Subject: Odd scans and stuff bouncing off firewalls
>
> Just a quick straw poll to see if anyone has any hard data that supports the
> logging and analysis of traffic that bounces off of filtering devices as
> part of a business security plan ?   Other than generating attack metrics to
> wave under the noses of senior managment at budget time, is there any
> definite _business_ requirement to have IDS sensors outside the firewall or
> firewall "drop" logs et al regularly examined in the context of "external"
> attack sources ?

I should hope not.  ;-)

Any such _business_ requirement would be sadly and sorely misguided.

> I don't bother to chase anything from anywhere unless it makes it through
> the filters because I could care less and it would IMHO purely be a time
> sink and even then only if it's from a netblock that has a whois abuse@
> entry.

I agree with you entirely!

Filter logs are mostly merely an interesting time diversion when one is
bored because one's firewall defenses have proven to be sufficiently
impenetrable, and they are otherwise only an optional way to prop up any
budget requests (i.e. to assure upper management that the Big Bad
Internet is still a wild and wooly place and that a good defense is
still an absolute requirement for participating in it when any aspects
of one's business might be placed at risk by such participation).

(This is assuming of course that any IDS mechanisms used to detect
flooding style attacks is separate from firewall filter logs.)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woodsat_private>;           <woodsat_private>
Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Greg A. Woods: "RE: Odd scans and stuff bouncing off firewalls"
Previous message: H C: "RE: Subseven Scans"
In reply to: Nexus: "Odd scans and stuff bouncing off firewalls"
Next in thread: Edwards, David (JTS): "RE: Odd scans and stuff bouncing off firewalls"
Next in thread: Robert Buckley: "RE: Subseven Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 12:44:31 PDT