Here's another point to ponder, which I like to hop up and down about
when I'm doing my "intrusion prevention" workshop at Interop...

When you're setting up your firewall you should design in intrusion
detection by using overlapping permit/deny+LOG rules in the
firewall. It's cheap, fast, *AND* good!

For example, if you have a DMZ and traffic from the DMZ toward
the internal network is getting matched by a default internet
incoming rule - consider installing a superceeding rule that
applies to your DMZ with logging turned on. That way you get
notified when your web server starts strobing SSH ports on
internal hosts. :) Or, perhaps an superceeduing
outbound deny +LOG rule from your DMZ to the internet for
everything except the minimum set of services your DMZ
needs.

My preceeding comments should emphatically not be taken
to mean that I think you shouldn't log denies! If it's worth denying,
it's worth logging - and that's a fact. But in today's environment,
with all the HTTP tunnelling crapware and malware, it's really
really really important to be looking at stuff like "top permitted
destinations" and things like that! In fact I strongly recommend
grabbing blacklists from places like squidguard.org and
joining your destinations of permitted HTTP against the
"spyware sites" blacklist to produce lists of internal machines
that are making calls out to such sites. Useful?

mjr.

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]