Tell you what Peter, I bow to your obviously superior knowledge on this and all other matters.
Hell, what do I know, how could I possibly compete with someone who has spent a ‘significant proportion’ of their career working for ‘major ISP’ (sic). Regards Greg On a side note: The dimensions of my willy (so to speak) are readily determined through http://www.google.co.uk/ From: allicient3...@gmail.com [mailto:allicient3...@gmail.com] On Behalf Of Peter Maxwell Sent: 29 July 2010 10:10 PM To: Greg Hennessy Cc: freebsd-pf@freebsd.org Subject: Re: For better security: always "block all" or "block in all" is enough? On 29 July 2010 20:08, Greg Hennessy <greg.henne...@nviz.net<mailto:greg.henne...@nviz.net>> wrote: > If, as you say, there are "Governance, Risk, and Compliance reasons", > perhaps you'd like to specify one or two for each category? Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement 10, Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the picture. An ISMS, is a company defined document so will likely have different entries or even none at all for that matter depending on the company. In a previous company I worked for, you would have just supported my point. And nice try, what documents & sections in PCI DSS, Basel II, and SOX are you referring to? > Logging a default deny on an internal firewall, yes - ok - I agree with you, > that's probably reasonable. Only probably? How much 'commercial' firewall work have you done again, seriously ? Again? I didn't tell you to begin with. As it happens, more than ten years, a significant proportion of which was in a major ISP. Since we're playing who's willy is bigger, what about yourself? > However, logging every blocked packet on an internet facing firewall is > plain daft. Saying it doesn’t make it so. The converse applies to your position. > Even the storage requirements would be somewhat onerous, Storage is cheap. Damage to reputation caused by being in breach of regulatory requirements w.r.t log retention is not. Not that cheap. And at the current point in time, in the UK at least, I know of no statutory requirement to keep such logs. I'd asked before what sort of bandwidth & connections per second the firewalls you/you've worked on tend to handle? > and that's before trying to process the data into something meaningful. > And all to confirm that there's a lot of noise and port scanning going on. Or it's part of a much larger picture which is fed into an SIEM system for event correlation and consequent alerting. So, you're also exposing a node in you SEM to a shed load of unnecessary noise. Firewalls are not the only security control points Nope, they're not. They're also are a fairly blunt instrument but must be extremely reliable.
_______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
