In our company, we enable only the ACCEPTED packet logging (cisco
firewall) ? I wonder the advantage of deny or rejected pakets logging
also i.e. (full logging). Any idea ? What type of analysis can be done
at that time?
carkaci@gmail.com sez:
> In our company, we enable only the ACCEPTED packet logging (cisco
> firewall) ? I wonder the advantage of deny or rejected pakets logging
> also i.e. (full logging). Any idea ? What type of analysis can be done
> at that time?
If you have outside users and they complain they can't connect, you
can check if it's your firewall that blocked them.
Dima
--
Yes, Java is so bulletproofed that to a C programmer it feels like being in a
straightjacket, but it's a really comfy and warm straightjacket, and the world
would be a safer place if everyone was straightjacketed most of the time.
-- Mark 'Kamikaze' Hughes
What can be done with Accepted packet logging when packet is already
entered network.
Deny and Rejected packet logging have some advantages over it and they
are follwoing:
1. You will come to know who is tryingto access your network.
2. Is Security breachis up or not?
3. Who is hitting the most
4. What are the targest of outside tracker/hacker.
5. Which are the top most Sites/Url /IP hitting your network.
6. Is Secuirty policy applied workingor not.
CK-NET
On 1 Apr 2006, in the Usenet newsgroup comp.security.misc, in article
<1143949772.569143.165320@z34g2000cwc.googlegroups.com>, NETADMIN wrote:
>What can be done with Accepted packet logging when packet is already
>entered network.
"That depends". This thread was multiposted over in comp.security.firewalls
and you might want to read the many articles it generated there.
>Deny and Rejected packet logging have some advantages over it and they
>are follwoing:
>1. You will come to know who is tryingto access your network.
To what end? There is no Internet Police that will do anything. There
are a large number of ISPs who don't care what their users are doing and
therefore don't respond to abuse complaints. The easy solution is to
just block the ISP, or even the entire continent.
>2. Is Security breachis up or not?
If the packet was dropped or rejected, it's not a security problem.
>3. Who is hitting the most
Who cares? They are blocked, and I don't think many people are awarding
prizes for "most frequent attacker".
>4. What are the targest of outside tracker/hacker.
>5. Which are the top most Sites/Url /IP hitting your network.
Why would anyone care? They're blocked - end of problem.
>6. Is Secuirty policy applied workingor not.
One doesn't see this in the rejections - look at what _is_ being allowed,
and worry about that.
Old guy