Re: [logs] firewall logging and rulesets

From: Chris Brenton (cbrenton@private)
Date: Thu Oct 23 2003 - 02:17:14 PDT

  • Next message: Bruce Platt: "RE: [logs] firewall logging and rulesets"

    On Wed, 2003-10-22 at 23:29, Jason Haar wrote:
    > This feature isn't as great as it seems. To be honest, the PIX still has a
    > ways to go before its ACL support is as good as IOS.
    Hey while we are bashing on commercial firewalls anyway ;-p, let me toss
    in that the level of detail recorded by PIX, FW-1, Netscreen, and many
    others, leaves much to be desired. Some wish list items I would love to
    see recorded by all packet filters:
    Type of server & precedence field (if set)
    IP and TCP options (if any are set)
    IP ID
    TCP MSS & Window size
    Payload contents of ICMP type 3's, 4's, 5's & 11's
    I teach track 2 for SANS and one of the exercises we go through is
    looking at a packet as it gets logged through a commercial and a GPL
    firewall. Based on the commercial firewall we are led to believe that
    someone may be probing our perimeter (i.e. the source IP is malicious).
    Because the GPL firewall records more detail, we get to see that the
    packet is actually fallout from someone spoofing our address (i.e.
    someone might think we are malicious). The point of the exercise is that
    the devil is in the details. Without enough information you can't make a
    good judgment call about what to worry about and what can be dismissed.
    I'm not saying *all* commercial firewalls have this problem, just the
    primaries that most people are using. Being able to do passive
    fingerprinting is a nice bonus as well.
    Just my $.02,
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:19:52 PDT