Re: [logs] firewall logging and rulesets

From: Brian Ford (brford@private)
Date: Thu Oct 23 2003 - 19:36:03 PDT

  • Next message: Brian Ford: "Re: [logs] firewall logging and rulesets"

    It's not bashing; it's improving.  Don't be bashful.
    I agree with your request.  The push back from the other side of the table 
    is packets per second (performance amongst other issues).
    It also gets real ugly looking at header fields in all the packets of a 
    particular connection.
    What the PIX team did was implement a capture command.  The target was to 
    make it very TCPDump like.  You can grab packets in Pcap format (eating 
    device memory) and throw them out at a TFTP server for off box 
    analysis.  Off box we can use Ethereal (and other tools) to knit the 
    connections back together and look at all the header info.  Works well.
    Liberty for All,
    At 05:17 AM 10/23/2003 -0400, Chris Brenton wrote:
    >On Wed, 2003-10-22 at 23:29, Jason Haar wrote:
    > >
    > > This feature isn't as great as it seems. To be honest, the PIX still has a
    > > ways to go before its ACL support is as good as IOS.
    >Hey while we are bashing on commercial firewalls anyway ;-p, let me toss
    >in that the level of detail recorded by PIX, FW-1, Netscreen, and many
    >others, leaves much to be desired. Some wish list items I would love to
    >see recorded by all packet filters:
    >Type of server & precedence field (if set)
    >IP and TCP options (if any are set)
    >IP ID
    >TCP MSS & Window size
    >Payload contents of ICMP type 3's, 4's, 5's & 11's
    >I teach track 2 for SANS and one of the exercises we go through is
    >looking at a packet as it gets logged through a commercial and a GPL
    >firewall. Based on the commercial firewall we are led to believe that
    >someone may be probing our perimeter (i.e. the source IP is malicious).
    >Because the GPL firewall records more detail, we get to see that the
    >packet is actually fallout from someone spoofing our address (i.e.
    >someone might think we are malicious). The point of the exercise is that
    >the devil is in the details. Without enough information you can't make a
    >good judgment call about what to worry about and what can be dismissed.
    >I'm not saying *all* commercial firewalls have this problem, just the
    >primaries that most people are using. Being able to do passive
    >fingerprinting is a nice bonus as well.
    >Just my $.02,
    >LogAnalysis mailing list
    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    The opinions expressed in this message are those of the author and not 
    necessarily those of Cisco Systems, Inc.
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 19:54:09 PDT