[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Logging Template?
My own spin on logging is:
- Log accepted traffic only to the extent that it is an exception to your
usual rules. For example, if you're protecting a public web server farm,
you probably don't want to log all inbound traffic to port 80 (of course
it's accepted from all over the planet, duh). If someone/something is given
special access, log it. Exceptions to this philosophy are pretty much a
judgement call: no hard or fast rules, and heavily influenced by the needs
of your particular organization.
- Log all dropped traffic *except* the stuff whose only purpose in life is
to fill up your logs. For example, I'm not in the habit of logging dropped
NBT traffic. Why? Because usually you drop all of it and there's too much
NBT chatter out there to want to slog through it. However, if your firewall
has a stealth rule (aka "drop all traffic directed to the firewall's IP from
the outside"), you may want to track any and all attempts to pry the
firewall open from outside. Accordingly, you would have the stealth rule
logged.
- Your last rule (cleanup rule aka "if it got this far then toss it out")
should probably be logged. Unless you have protected specific devices and
logged the associated drops in higher-up rules, this is the rule that's
going to tell you you're being SQL scanned, port scanned, proxy scanned,
yadda yadda. Opinions may differ on this one; sometimes there's too much
traffic to contend with. But it's generally the rule that tells you the
most about intrusion attempts.
The reasoning behind this approach is pretty simple. You want to know what
your firewall is dropping almost unilaterally, and you pare that down as
needed to keep your logs useful and informative as opposed to... Big. On
the flip side, you don't want to see *all* explicitly accepted traffic,
because you've already decided that it's explicitly accepted. However, you
might want to log accepted traffic if the acceptance is unusual under your
normal set of assumptions.
Hope this helps.
-----Original Message-----
From: John Doyle [mailto:[email protected]]
Sent: Monday, September 23, 2002 8:08 AM
To: [email protected]
Subject: Re: [FW-1] Logging Template?
Hi Phoram,
Thanks for replying to my mail, before sending this request for help I
searched the site mention and found nothing to help my cause. If you know of
another site or even have a document such as the one I am looking for the
please let me know.
Again thanks,
John
-----Original Message-----
From: Mehta, Phoram [mailto:[email protected]]
Sent: 23 September 2002 15:29
To: [email protected]
Subject: Re: [FW-1] Logging Template?
I would recommend that you regularly visit www.phoneboy.com for answer to
this query as well as other that might run in near future.
Phoram
-----Original Message-----
From: John Doyle [mailto:[email protected]]
Sent: Monday, September 23, 2002 8:29 AM
To: [email protected]
Subject: [FW-1] Logging Template?
Hi All,
I am new to FW-1 and could do with some help on what I should log and why
and why I am not logging.
Does anyone have a Document Template that they could share as a Checklist to
setting up logging?
Thanks,
John
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================