For better security: always "block all" or "block in all" is
enough?
Peter Maxwell
peter at allicient.co.uk
Thu Jul 29 21:09:48 UTC 2010
On 29 July 2010 20:08, Greg Hennessy <Greg.Hennessy at nviz.net> wrote:
>
>
> > If, as you say, there are "Governance, Risk, and Compliance reasons",
> > perhaps you'd like to specify one or two for each category?
>
> Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement
> 10, Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the
> picture.
>
An ISMS, is a company defined document so will likely have different entries
or even none at all for that matter depending on the company. In a previous
company I worked for, you would have just supported my point.
And nice try, what documents & sections in PCI DSS, Basel II, and SOX are
you referring to?
> > Logging a default deny on an internal firewall, yes - ok - I agree with
> you, that's probably reasonable.
>
> Only probably? How much 'commercial' firewall work have you done again,
> seriously ?
>
Again? I didn't tell you to begin with. As it happens, more than ten
years, a significant proportion of which was in a major ISP. Since we're
playing who's willy is bigger, what about yourself?
>
> > However, logging every blocked packet on an internet facing firewall is
> plain daft.
>
> Saying it doesn’t make it so.
>
The converse applies to your position.
>
> > Even the storage requirements would be somewhat onerous,
>
> Storage is cheap. Damage to reputation caused by being in breach of
> regulatory requirements w.r.t log retention is not.
>
Not that cheap. And at the current point in time, in the UK at least, I
know of no statutory requirement to keep such logs.
I'd asked before what sort of bandwidth & connections per second the
firewalls you/you've worked on tend to handle?
>
> > and that's before trying to process the data into something meaningful.
> > And all to confirm that there's a lot of noise and port scanning going
> on.
>
> Or it's part of a much larger picture which is fed into an SIEM system for
> event correlation and consequent alerting.
>
So, you're also exposing a node in you SEM to a shed load of unnecessary
noise.
>
> Firewalls are not the only security control points
>
Nope, they're not. They're also are a fairly blunt instrument but must be
extremely reliable.
More information about the freebsd-pf
mailing list