Thanks, Michael, once again, for your always thoughtful and
knowledgeable comments!
In the message "Re: [Security] Re: [MAGNet] Norton Personal Firewall
3.0.2 ", dated 2005-05-19, Michael Sinatra wrote:
> Aron Roberts wrote:
>
>> The minimum standards implementation guidelines
>> <http://security.berkeley.edu:2002/MinStds/Firewalls.html> require that
>> host-based firewall software be capable of, and configured to, "log
>> inbound and outbound blocked packets."
>
>That's not quite my reading of that page. The page states that the ICF
>must be configured in such a way, but I don't interpret that that any
>firewall MUST be configured to log all inbound and outbound packets.
>However, they do need to be capable of doing so.
>...
>I can't think of any rationale to mandate logging as part
>of minimum standards, but I'd like to pose that question to CISC, as I
>may be missing something. ... It is [nonetheless] very helpful to
>do logging [under various circumstances ...]
That point definitely needs to be be clarified by CISC/SNS in the
minimum standards.
To date, we have interpreted the following text from the Firewalls
page of the implementation guidelines
<http://security.berkeley.edu:2002/MinStds/Firewalls.html> as
configuration requirements, not merely minimum capabilities.
(Emphasis added via << >> symbols):
> To meet the Minimum Standards, other host-based firewalls listed
>on the Campus software distribution website <<must, at a minimum>>:
>
> * Be running at all times
> * Block inbound traffic to ports that are not running
>necessary services
> * <<Log inbound and outbound blocked packets>>
> * Allow all inbound and outbound ICMP traffic except "mask discovery"
We also came away with a different interpretation than yours of
that page's suggested configuration for the Windows ICF firewall,
viewing that as further confirmation that the general guidelines,
above, require that host-based firewalls be configured to log
blocked/dropped packets:
><<To meet the Minimum Standards>>, ICF <<must also be configured to
>log blocked packets>> and allow ICMP. After the final step on
>Microsoft's page, you should:
>
> 1. Click on the "Settings..." button at the bottom of the window.
> 2. Click the "Security Logging" tab.
> 3. <<Check the box marked "Log dropped packets".>>
Given that denial of service vulnerabilities could potentially be
introduced by enabling logging, as you've outlined, clarification of
this item in the implementation guidelines is even more imperative.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu May 19 12:26:35 2005
This archive was generated by hypermail 2.1.8 : Thu May 19 2005 - 12:26:37 PDT