On Wed, 2003-10-22 at 23:29, Jason Haar wrote: > > This feature isn't as great as it seems. To be honest, the PIX still has a > ways to go before its ACL support is as good as IOS. Hey while we are bashing on commercial firewalls anyway ;-p, let me toss in that the level of detail recorded by PIX, FW-1, Netscreen, and many others, leaves much to be desired. Some wish list items I would love to see recorded by all packet filters: Type of server & precedence field (if set) IP and TCP options (if any are set) TTL IP ID TCP MSS & Window size Payload contents of ICMP type 3's, 4's, 5's & 11's I teach track 2 for SANS and one of the exercises we go through is looking at a packet as it gets logged through a commercial and a GPL firewall. Based on the commercial firewall we are led to believe that someone may be probing our perimeter (i.e. the source IP is malicious). Because the GPL firewall records more detail, we get to see that the packet is actually fallout from someone spoofing our address (i.e. someone might think we are malicious). The point of the exercise is that the devil is in the details. Without enough information you can't make a good judgment call about what to worry about and what can be dismissed. I'm not saying *all* commercial firewalls have this problem, just the primaries that most people are using. Being able to do passive fingerprinting is a nice bonus as well. Just my $.02, C _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:19:52 PDT