Re: Odd scans and stuff bouncing off firewalls

From: Greg A. Woods (woodsat_private)
Date: Tue Aug 13 2002 - 11:54:41 PDT

  • Next message: Greg A. Woods: "RE: Odd scans and stuff bouncing off firewalls"

    [ On Tuesday, August 13, 2002 at 16:57:31 (+0100), Nexus wrote: ]
    > Subject: Odd scans and stuff bouncing off firewalls
    > Just a quick straw poll to see if anyone has any hard data that supports the
    > logging and analysis of traffic that bounces off of filtering devices as
    > part of a business security plan ?   Other than generating attack metrics to
    > wave under the noses of senior managment at budget time, is there any
    > definite _business_ requirement to have IDS sensors outside the firewall or
    > firewall "drop" logs et al regularly examined in the context of "external"
    > attack sources ?
    I should hope not.  ;-)
    Any such _business_ requirement would be sadly and sorely misguided.
    > I don't bother to chase anything from anywhere unless it makes it through
    > the filters because I could care less and it would IMHO purely be a time
    > sink and even then only if it's from a netblock that has a whois abuse@
    > entry.
    I agree with you entirely!
    Filter logs are mostly merely an interesting time diversion when one is
    bored because one's firewall defenses have proven to be sufficiently
    impenetrable, and they are otherwise only an optional way to prop up any
    budget requests (i.e. to assure upper management that the Big Bad
    Internet is still a wild and wooly place and that a good defense is
    still an absolute requirement for participating in it when any aspects
    of one's business might be placed at risk by such participation).
    (This is assuming of course that any IDS mechanisms used to detect
    flooding style attacks is separate from firewall filter logs.)
    								Greg A. Woods
    +1 416 218-0098;            <g.a.woodsat_private>;           <woodsat_private>
    Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private>
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 12:44:31 PDT