Date: Thu, 29 Jul 2010 19:08:54 -0400 From: Chris Buechler <cbuechler@gmail.com> To: Peter Maxwell <peter@allicient.co.uk> Cc: Greg Hennessy <Greg.Hennessy@nviz.net>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: For better security: always "block all" or "block in all" is enough? Message-ID: <AANLkTinyxRxV3pkj2s=Y5pOxGaWa-2MgnMBAu0ExSfNa@mail.gmail.com> In-Reply-To: <AANLkTinimMg2HiRqF9rhAJn7GJosH_Ww5TsM3uzpbi8T@mail.gmail.com> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com> <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTim%2Ba0aHy2eDKeiU0cGr1gzOvbwyWLTXo_N34Q3d@mail.gmail.com> <9E8D76EC267C9444AC737F649CBBAD902769C51EE9@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTinimMg2HiRqF9rhAJn7GJosH_Ww5TsM3uzpbi8T@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 29, 2010 at 5:09 PM, Peter Maxwell <peter@allicient.co.uk> wrot= e: > > An ISMS, is a company defined document so will likely have different entr= ies > or even none at all for that matter depending on the company. =A0In a pre= vious > company I worked for, you would have just supported my point. > > And nice try, what documents & sections in PCI DSS, Basel II, and SOX are > you referring to? > I'm not going to bother looking up any specifics, but by your comments as a whole it's blatantly obvious you haven't spent any time in a highly regulated environment with internal and external auditors plus federal regulators auditing more on top of that. Or maybe things across the pond are vastly different than they are in the US, but I doubt that. >> Or it's part of a much larger picture which is fed into an SIEM system f= or >> event correlation and consequent alerting. >> > > So, you're also exposing a node in you SEM to a shed load of unnecessary > noise. > Not true in the least. Block logs are probably overvalued as a whole since what you're dropping by definition can't hurt you and the less clueful tend to be more concerned about what they're blocking than what they're passing, but there is value in analysis there. If your hourly/daily average is X log entries and all of a sudden it's drastically higher or lower than normal, there's something going on that should be investigated. What Greg describes is very common (nearly universal aside from small institutions) in highly regulated environments and provides value. The bulk of such organizations I've done work for do the equivalent of adding a 'log' to every single line in your pf.conf (or very close to it), and dump huge amounts of log data to their SIEM. Or use something like NetFlow for passed traffic, and just let the firewall log all blocks only.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinyxRxV3pkj2s=Y5pOxGaWa-2MgnMBAu0ExSfNa>