Date: Thu, 29 Jul 2010 20:08:27 +0100 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: Peter Maxwell <peter@allicient.co.uk> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: For better security: always "block all" or "block in all" is enough? Message-ID: <9E8D76EC267C9444AC737F649CBBAD902769C51EE9@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: <AANLkTim%2Ba0aHy2eDKeiU0cGr1gzOvbwyWLTXo_N34Q3d@mail.gmail.com> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com> <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTim%2Ba0aHy2eDKeiU0cGr1gzOvbwyWLTXo_N34Q3d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> If, as you say, there are "Governance, Risk, and Compliance reasons", > perhaps you'd like to specify one or two for each category? Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement 10, Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the picture. > Logging a default deny on an internal firewall, yes - ok - I agree with you, that's probably reasonable. Only probably? How much 'commercial' firewall work have you done again, seriously ? > However, logging every blocked packet on an internet facing firewall is plain daft. Saying it doesn’t make it so. > Even the storage requirements would be somewhat onerous, Storage is cheap. Damage to reputation caused by being in breach of regulatory requirements w.r.t log retention is not. > and that's before trying to process the data into something meaningful. > And all to confirm that there's a lot of noise and port scanning going on. Or it's part of a much larger picture which is fed into an SIEM system for event correlation and consequent alerting. Firewalls are not the only security control points Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9E8D76EC267C9444AC737F649CBBAD902769C51EE9>