Date: Thu, 29 Jul 2010 22:09:46 +0100 From: Peter Maxwell <peter@allicient.co.uk> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: For better security: always "block all" or "block in all" is enough? Message-ID: <AANLkTinimMg2HiRqF9rhAJn7GJosH_Ww5TsM3uzpbi8T@mail.gmail.com> In-Reply-To: <9E8D76EC267C9444AC737F649CBBAD902769C51EE9@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com> <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTim%2Ba0aHy2eDKeiU0cGr1gzOvbwyWLTXo_N34Q3d@mail.gmail.com> <9E8D76EC267C9444AC737F649CBBAD902769C51EE9@PEMEXMBXVS02.jellyfishnet.co.uk.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 July 2010 20:08, Greg Hennessy <Greg.Hennessy@nviz.net> wrote: > > > > If, as you say, there are "Governance, Risk, and Compliance reasons", > > perhaps you'd like to specify one or two for each category? > > Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement > 10, Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the > picture. > An ISMS, is a company defined document so will likely have different entrie= s or even none at all for that matter depending on the company. In a previou= s company I worked for, you would have just supported my point. And nice try, what documents & sections in PCI DSS, Basel II, and SOX are you referring to? > > Logging a default deny on an internal firewall, yes - ok - I agree with > you, that's probably reasonable. > > Only probably? How much 'commercial' firewall work have you done again, > seriously ? > Again? I didn't tell you to begin with. As it happens, more than ten years, a significant proportion of which was in a major ISP. Since we're playing who's willy is bigger, what about yourself? > > > However, logging every blocked packet on an internet facing firewall i= s > plain daft. > > Saying it doesn=E2=80=99t make it so. > The converse applies to your position. > > > Even the storage requirements would be somewhat onerous, > > Storage is cheap. Damage to reputation caused by being in breach of > regulatory requirements w.r.t log retention is not. > Not that cheap. And at the current point in time, in the UK at least, I know of no statutory requirement to keep such logs. I'd asked before what sort of bandwidth & connections per second the firewalls you/you've worked on tend to handle? > > > and that's before trying to process the data into something meaningful. > > And all to confirm that there's a lot of noise and port scanning going > on. > > Or it's part of a much larger picture which is fed into an SIEM system fo= r > event correlation and consequent alerting. > So, you're also exposing a node in you SEM to a shed load of unnecessary noise. > > Firewalls are not the only security control points > Nope, they're not. They're also are a fairly blunt instrument but must be extremely reliable.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinimMg2HiRqF9rhAJn7GJosH_Ww5TsM3uzpbi8T>