From owner-freebsd-pf@FreeBSD.ORG Thu Jul 29 23:09:16 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE6001065674 for ; Thu, 29 Jul 2010 23:09:16 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 6C4EF8FC19 for ; Thu, 29 Jul 2010 23:09:16 +0000 (UTC) Received: by wwc33 with SMTP id 33so740907wwc.31 for ; Thu, 29 Jul 2010 16:09:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=3jmi4o8sIAMM80iTPSQ5nKIwR8vT7/6bO/QvSJ0F5Dc=; b=pgIN/i2UDC4TD6N/iLvTotmXvNdPJ5VYKTwqAY4qZ7AbAOtrmdMHivyNU9s45crPTA cjD5HZgF9s2NHg4k+5oepoYHhtX1l/oyLV2XRaRm5VBvCgsGv+oO6i5eikLX24iW+ZuP Jv7m+sxGuxaaAkKpw5O3QTVIWAu4boyrn71hg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=YYvvSn9aGoVGTqKQORNqn9khYlIa9fI0s3yf7p1mSYQ3aSnuHXhWBGBCVh+uoadsMH ll5YMR2sZ+IoedcuXzxG63mvZ/QR8B6Ece1dN+rOf4eP8DAG2a2Ezfl8oNYi4u13u48a ZYMZqJqyRw2MIYtG/+SvGAypwGox4BRdnOfBc= Received: by 10.227.128.18 with SMTP id i18mr861750wbs.135.1280444955383; Thu, 29 Jul 2010 16:09:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.156.84 with HTTP; Thu, 29 Jul 2010 16:08:54 -0700 (PDT) In-Reply-To: References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> <9E8D76EC267C9444AC737F649CBBAD902769C51EE9@PEMEXMBXVS02.jellyfishnet.co.uk.local> From: Chris Buechler Date: Thu, 29 Jul 2010 19:08:54 -0400 Message-ID: To: Peter Maxwell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Greg Hennessy , "freebsd-pf@freebsd.org" Subject: Re: For better security: always "block all" or "block in all" is enough? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 23:09:16 -0000 On Thu, Jul 29, 2010 at 5:09 PM, Peter Maxwell wrot= e: > > An ISMS, is a company defined document so will likely have different entr= ies > or even none at all for that matter depending on the company. =A0In a pre= vious > company I worked for, you would have just supported my point. > > And nice try, what documents & sections in PCI DSS, Basel II, and SOX are > you referring to? > I'm not going to bother looking up any specifics, but by your comments as a whole it's blatantly obvious you haven't spent any time in a highly regulated environment with internal and external auditors plus federal regulators auditing more on top of that. Or maybe things across the pond are vastly different than they are in the US, but I doubt that. >> Or it's part of a much larger picture which is fed into an SIEM system f= or >> event correlation and consequent alerting. >> > > So, you're also exposing a node in you SEM to a shed load of unnecessary > noise. > Not true in the least. Block logs are probably overvalued as a whole since what you're dropping by definition can't hurt you and the less clueful tend to be more concerned about what they're blocking than what they're passing, but there is value in analysis there. If your hourly/daily average is X log entries and all of a sudden it's drastically higher or lower than normal, there's something going on that should be investigated. What Greg describes is very common (nearly universal aside from small institutions) in highly regulated environments and provides value. The bulk of such organizations I've done work for do the equivalent of adding a 'log' to every single line in your pf.conf (or very close to it), and dump huge amounts of log data to their SIEM. Or use something like NetFlow for passed traffic, and just let the firewall log all blocks only.