On Thu, 2004-11-04 at 18:27, Paul M Foster wrote:
> They will be (as now) directed to one of the consoles.
How much are you logging? I'm not trying to tell you what to do, but an
on-disk or, better yet, remote record is always ideal. Best of all
would be a real-time print record, of course, but that's typically not
feasible for SOHOs.
> The IDS is the logs.
Logs from what? Kernel? Other? I assume you are saying you are doing
self-analysis. Not exactly ideal in this day and age, but I guess
that's just me?
What systems are behind the firewall? The reason I ask this is because
you have to worry about outgoing traffic too -- e.g., client systems
that have been compromised via browser or other exploits.
> If I need to, I switch to that console and look at the logs going by.
Please understand I'm not trying to be argumentative. I'm just curious
why you are limiting the most important part of a network security
approach -- the logs and auditing.
> Understand-- the only service advertised on the box is SSH,
> and then only to local machines. Otherwise, it NATs and blocks
> traffic to almost everything else.
The deny-all firewall died as an adequate network security measure
for even SOHOs years ago. Nowdays you need at least an IDS that
can analyze logs in real-time, or at least off-line. Especially if you
have any Windows systems behind the firewall, but it is not always
limited to Windows (but 99.9% of them target Windows).
> My logging level is very high, so it's clear when anything's going on.
I'm confused when you say your "logging level is very high." Your
screen would be passing on so much information that you could not
possibly digest it in even real-time. There is such a thing as "log
dillusion" where you are innudated with so much information that it
becomes impossible to audit. Especially if you are not using an
automated, real-time auditing system like an IDS.
So are you using an IDS and just watching those logs on the console? If
so, what interfaces are you tapping? Just the LAN? Just curious what
your approach is. Not questioning it, just curious. I write security
whitepapers and articles all the time, and am interested in learning
about new techniques -- especially for SOHO setups.
-- Bryan J. Smith b.j.smith@ieee.org ------------------------------------------------------------------ "Communities don't have rights. Only individuals in the community have rights. ... That idea of community rights is firmly rooted in the 'Communist Manifesto.'" -- Michael Badnarik----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:30:43 EDT