Hi Michael,
I very much agree with what you said about logging. However, and I am
sorry to be splitting hairs here, my reading of the page is in-line
with Aron's. It states under Other Firewalls:
"To meet the Minimum Standards, other host-based firewalls listed on
the Campus software distribution website must, at a minimum: ... Log
inbound and outbound blocked packets ..."
The word "must" is clearly used in that statement.
Again, hopefully there will be official clarification soon on this
issue.
-lucas
On May 19, 2005, at 12:00 PM, Michael Sinatra wrote:
> Aron Roberts wrote:
>
>> The minimum standards implementation guidelines
>> <http://security.berkeley.edu:2002/MinStds/Firewalls.html> require
>> that
>> host-based firewall software be capable of, and configured to, "log
>> inbound and outbound blocked packets."
>
> That's not quite my reading of that page. The page states that the ICF
> must be configured in such a way, but I don't interpret that that any
> firewall MUST be configured to log all inbound and outbound packets.
> However, they do need to be capable of doing so.
>
> Such a firewall policy is dangerous, as it can greatly magnify the
> deleterious effects of a DoS attack (especially a SYN flood) or even
> agressive port scans. Having to log thousands or tens of thousands of
> packets per second can greatly slow down a machine and can cause disk
> space exhaustion--again greatly exacerbating the effects of a DoS
> attack. I have had various experiences with this, and I know that it
> can happen in real life.
>
> Some firewalls are now capable of throttling logging or limiting it.
> ipfw, on which the Mac OS X integral firewall, can be hard-limited to
> 100 logging entries per rule. However, that means that once the 100
> entries are reached, that rule will never log again until a command is
> sent to ipfw to reset the counter or the machine is rebooted. (I don't
> know how to impose this limit in Mac OS X, only FreeBSD.)
>
> Of course, not all host-based firewalls can do log throttling, and even
> in the presence of such a feature, there may be very good reasons not
> to
> do logging. I can't think of any rationale to mandate logging as part
> of minimum standards, but I'd like to pose that question to CISC, as I
> may be missing something. It is very helpful to do logging and it is
> considered a best practice to log extensively when a firewall is first
> set up, or when new rules are added, so that their effects can be seen.
> Also, whenever a problem arises that requires troubleshooting, the
> firewall log should usually be one of the first things activated. So
> it's easy to see why such a capability should be mandated, but when the
> firewall is known to be working properly and no network problems are
> seen, turning off logging could go a long way toward saving your butt.
>
> michael
>
> -----------------------------------------------------------------------
> -
> The following was automatically added to this message by the list
> server:
>
> For information about MAGNet, its meetings and events, and its
> mailing list, including information on subscribing and unsubscribing,
> see the MAGNet Web site at <http://magnet.berkeley.edu/>.
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu May 19 13:55:34 2005
This archive was generated by hypermail 2.1.8 : Thu May 19 2005 - 13:55:36 PDT