> If, as you say, there are "Governance, Risk, and Compliance reasons", > perhaps you'd like to specify one or two for each category?
Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement 10, Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the picture. > Logging a default deny on an internal firewall, yes - ok - I agree with you, > that's probably reasonable. Only probably? How much 'commercial' firewall work have you done again, seriously ? > However, logging every blocked packet on an internet facing firewall is > plain daft. Saying it doesn’t make it so. > Even the storage requirements would be somewhat onerous, Storage is cheap. Damage to reputation caused by being in breach of regulatory requirements w.r.t log retention is not. > and that's before trying to process the data into something meaningful. > And all to confirm that there's a lot of noise and port scanning going on. Or it's part of a much larger picture which is fed into an SIEM system for event correlation and consequent alerting. Firewalls are not the only security control points Greg
_______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
