Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Post by cryx » Mon, 24 Jul 2000 04:00:00



I would like to know if its a good choice to log packets thats being
send and recieved, and what the advantages is of logging packets on
firewalls.

How much information can you see on logged packets ?, and where would
you log the packets and protect the log from malicous hackers, trojan
kids or script kids ?

Were using Linux Slackware 7.0.

 
 
 

Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Post by gu.. » Mon, 24 Jul 2000 04:00:00



>I would like to know if its a good choice to log packets thats being
>send and recieved, and what the advantages is of logging packets on
>firewalls.

it sure is.  i don't know if it's a good choice to log sent packets,
but the security conscious among us might ..  you'll probably not
want to log _all_ traffic, though.

advantages to logging:  traffic analysis, pattern matching, figuring
                        out who is doing what to your system, etc.

disadvantages to logging: disk space!  if you're logging everything
                          on a large/busy network this will kick
                          you in the butt.  privacy of your users?

Quote:>How much information can you see on logged packets ?, and where would
>you log the packets and protect the log from malicous hackers, trojan
>kids or script kids ?

usually you can see the destination ip address, local and remote
ports used, protocol used, date and time.
if you want to protect your logs from malicious hackers, log to
your printer.

--
True science teaches us to doubt and, in ignorance, to refrain.
 -Claude Bernard (1813-78)

 
 
 

Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Post by Tim Hayn » Mon, 24 Jul 2000 04:00:00



> I would like to know if its a good choice to log packets thats being send
> and recieved, and what the advantages is of logging packets on firewalls.

<shudder> I'd have thought so. </shudder>

Quote:> How much information can you see on logged packets ?, and where would you
> log the packets and protect the log from malicous hackers, trojan kids or
> script kids ?

You want the IP Masquerading HOWTO which gives explicit examples of what
you'll see, at
<http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-7.html#ss7.18>.

Quote:> Were using Linux Slackware 7.0.

What are you using now?

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

 
 
 

Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Post by Steve Co » Mon, 24 Jul 2000 04:00:00




> I would like to know if its a good choice to log packets thats being
> send and recieved, and what the advantages is of logging packets on
> firewalls.

> How much information can you see on logged packets ?, and where would
> you log the packets and protect the log from malicous hackers, trojan
> kids or script kids ?

> Were using Linux Slackware 7.0.

Hi,

the standard way is to log exception to any firewall rules - so
you can monitor crack attempts. If you're using ipchains, this
is done with the -l option on the deny and reject rules.

The does rely on the fact that you are catching all errant connections
so you may want to use a packet sniffer to examine all traffic over
a small period.

 
 
 

Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Post by Erik Jan van Weste » Mon, 24 Jul 2000 04:00:00



> I would like to know if its a good choice to log packets thats being
> send and recieved, and what the advantages is of logging packets on
> firewalls.

Yes, logging is a good thing. However depending on the type of
firewall (private use, professional use or heavier) you might
want to log more and more. I know some companies that log
_everything_ :-).

Quote:> How much information can you see on logged packets ?, and where would
> you log the packets and protect the log from malicous hackers, trojan
> kids or script kids ?

Logging will typically provide you with protocol type,
(probable!) source address and reason for denial. See ipchains
doc for more information.

You could log on another machine, this is common practice. If you
want to be absolutely sure about the logs, then connect through a
one-way serial line. Logging on a printer is a) not useful,
because it is very difficult to search for events and correlate
them, and b) opens you for denial of service attacks, unless you
have a very fast printer that is :-)

Quote:> Were using Linux Slackware 7.0.

I recently switched from redhat to slackware to OpenBSD. I prefer
the latter to put it gently and with chances to open up a flame
war. The flame war is _not_ my intent! OpenBSD firewalls are
_much_ easier to maintain, much easier to develop and I think
inherently more secure. The additional advantage being that not a
lot of scripts are available for the script kiddies because it is
so much less used :-).

EJ
--
OpenBSD 2.6 on a sparc (32 MB) and a pentium 75 MHz (32 MB)
Linux 2.2.16 on a pentium 233 MHz (64 MB) and a sparc (32 MB)
FreeBSD 4.0 on a pentium 200 MHz (192 MB)
and the Mac LCII? Still doing nothing.

 
 
 

Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Post by gu.. » Mon, 24 Jul 2000 04:00:00



Quote:>You could log on another machine, this is common practice. If you
>want to be absolutely sure about the logs, then connect through a
>one-way serial line. Logging on a printer is a) not useful,
>because it is very difficult to search for events and correlate
>them, and b) opens you for denial of service attacks, unless you
>have a very fast printer that is :-)

a one-way serial line .. hmm, i never thought about that.  now
that could be fun!

--
Every sentence I utter must be understood not as an affirmation,
but as a question.
 -Niels Henrik David Bohr (1885-1962)

 
 
 

Logging incoming, outgoing packet on firewall, good choice or bad choice ?

Post by Erik Jan van Weste » Wed, 26 Jul 2000 04:00:00



> a one-way serial line .. hmm, i never thought about that.  now
> that could be fun!

Explain?

EJ
--
OpenBSD 2.6 on a sparc (32 MB) and a pentium 75 MHz (32 MB)
Linux 2.2.16 on a pentium 233 MHz (64 MB) and a sparc (32 MB)
FreeBSD 4.0 on a pentium 200 MHz (192 MB)
and the Mac LCII? Still doing nothing.

 
 
 

1. Matrox Millenium graphics card - good/bad choice?

I was thinking about buying a PCI Matrox Millenium graphics card for
use under Windoze and XFree. Would this be a good or bad move?

My Slackware 2.1 manual says that Matrox cards are currently
unsupported but commercial X servers support them.

Is this still the case and does anyone have any experience of Matrox
cards.

Thanks in advance,

Alun Webber

2. NE2000 clone driver failure

3. -=[Question: PC UNIX OS choices: What are the best choices and why?]=-

4. best location for swap ?

5. The "safe" choice (w2K) the wrong choice...

6. Restricting telnet access for users.

7. Choices, choices...

8. how to navigate into the file system ?

9. How to rewrite only the port on incoming/outgoing packets

10. Incoming and outgoing Packets under Solaris2.6

11. Can you port forward both incoming and outgoing packets?

12. Blocking outgoing and incoming DHCP packets

13. club-3d radeon ? seems a bad choice