I would find it very interesting to know when an access was allowed to a critical ressource if i know that in a near future of that authorization the ressource was used and caused damage.
If i only get the deny logs, how will i answer the "when was the access authorised?". I would also use the same retention time frame as the deny logs as they are both as valid in the investigation of access. Also, having the accept being log would allow you to build up a database of access that you could pipe thru a IDS someday stating that it is normal that at 14:30 a user X access a asset Y since it has been doing so (accept/permit) for over 6month.
The thing with deny is that they are valid only if you can prove that no "accept" were done afterwards/before.
Merci
Philippe Rivest, Certified Ethical Hacker
Analyste en sécurité de l'information
Métro Richelieu
450-662-3300x3115
►Avant d'imprimer, demandez-vous si c'est nécessaire!
►Before printing, ask yourself if you really need to!
-----Message d'origine-----
De : listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] De la part de Albert R. Campa
Envoyé : lundi 19 mai 2008 17:27
À : security-basics
Objet : Firewall Logging question?
Hi,
I am wondering what your opinion is on Firewall logging for "Accept/Permit/Allow" rules?
Is it really necessary? Are just the "deny" logs critical?
Say disk space is not in abundance.
Should you not log "accept/permit/allow" firewall rules, or log everything and have your retention reduced?
What are advantages to logging "accept/permit/allow" rules in a firewall?
Thank in advance.
Albert
- application/x-pkcs7-signature attachment: smime_p7s
Received on May 20 2008
Intro
