Security Incidents: Re: Odd scans and stuff bouncing off firewalls

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Odd scans and stuff bouncing off firewalls

From: woods () weird com (Greg A. Woods)
Date: Tue, 13 Aug 2002 14:54:41 -0400 (EDT)

[ On Tuesday, August 13, 2002 at 16:57:31 (+0100), Nexus wrote: ]

Subject: Odd scans and stuff bouncing off firewalls

Just a quick straw poll to see if anyone has any hard data that supports the
logging and analysis of traffic that bounces off of filtering devices as
part of a business security plan ?   Other than generating attack metrics to
wave under the noses of senior managment at budget time, is there any
definite _business_ requirement to have IDS sensors outside the firewall or
firewall "drop" logs et al regularly examined in the context of "external"
attack sources ?


I should hope not.  ;-)

Any such _business_ requirement would be sadly and sorely misguided.

I don't bother to chase anything from anywhere unless it makes it through
the filters because I could care less and it would IMHO purely be a time
sink and even then only if it's from a netblock that has a whois abuse@
entry.


I agree with you entirely!

Filter logs are mostly merely an interesting time diversion when one is
bored because one's firewall defenses have proven to be sufficiently
impenetrable, and they are otherwise only an optional way to prop up any
budget requests (i.e. to assure upper management that the Big Bad
Internet is still a wild and wooly place and that a good defense is
still an absolute requirement for participating in it when any aspects
of one's business might be placed at risk by such participation).

(This is assuming of course that any IDS mechanisms used to detect
flooding style attacks is separate from firewall filter logs.)

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <g.a.woods () ieee org>;           <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

Re: Subseven Scans, (continued)
- RE: Subseven Scans Rob Keown (Aug 12)
  - RE: Subseven Scans H C (Aug 12)
- FW: Subseven Scans Rob Keown (Aug 13)
  - Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
    - Re: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 13)
  - RE: Subseven Scans H C (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 14)
  - RE: Subseven Scans H C (Aug 14)
- RE: Subseven Scans Robert Buckley (Aug 15)