[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipchains DENY question

martin f krafft said:
> also sprach nate <debian-user@aphroland.org> [2002.12.06.0136 +0100]:
>> firewall-and-forget.
> maybe for a private system. this is *not* the way to practice
> security. security involves ongoing monitoring.

this is the best way if you have limited resources. Why should I care
about what hits my firewall and gets dropped? I am much more
concerned about what gets PAST my firewall.

If its dropped at the firewall there is no harm done. So no need to
get worked up over it. The only time I go out of my way for something
that is blocked at the firewall is if the data is filling my pipe,
e.g. a couple weeks ago my former employer fired up an old icmp
monitoring program I used to use(but long disabled). Within a few hours
they were flooding me with 100kB/second of ICMP traffic crippling my
connection(75% packet loss to default gateway).

If you have operated in a more public enviornment you'll realize that
it is physically IMPOSSIBLE to go after every unusual event that hits
your network. At my former company, on a fully anal snort configuration
2 T1s which had perhaps 5% utilization was generating more then 70,000
alerts per hour. How much of this was worth looking into? About 1 event
per 25 million(a guess I pulled outta my ass but probably round about
accurate). I spent probably 50 hours analyzing the data and adding
rules to prevent things from being triggered on the NIDS.

Gotta pick the priorities, for me, and for many, packets that are
dropped at the firewall are not a priority for investigation.

Of course monitoring is important. But once something is blocked,
the impact is minimized.


Reply to: