Great Circle Associates Firewalls
(April 1993)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Is there an FTP client that logs activity?
From: bdboyle @ maverick1 . erenj . com (Bryan D. Boyle)
Date: Thu, 15 Apr 1993 16:06:03 -0400
To: Marcus J Ranum <mjr @ TIS . COM>
Cc: firewalls @ GreatCircle . COM
In-reply-to: Marcus J Ranum <mjr @ TIS . COM> "Re: Is there an FTP client that logs activity?" (Apr 15, 3:31pm)
Posted-date: Thu, 15 Apr 1993 16:06:03 -0400
References: <9304151931 . AA03683 @ TIS . COM>

On Apr 15,  3:31pm, Marcus J Ranum wrote:
> Subject: Re:  Is there an FTP client that logs activity?
> >Is there an ftp client that can replace the one that
> >comes from SCO for SCO ODT 1.1/2.0 that will log
> >the file transfers that people do?
> 	The one on in pub/DEC does so, I believe. It
> logs the GET/PUT commands users issue.
> >The aim obviously is to keep tracking of files that
> >are brought into the local network from the outside.
> >This is in addition to manually screening code and
> >virus checking binaries.
> 	The problem is that if I can FTP from the net, I can FTP the
> sources for a client FTP and use my own, which does no logging.
> 	This problem you're dealing with is why I designed the FTP
> applications gateway DEC (and its SEAL customers) use - the only way
> to *really* know that you're getting an accurate picture of what is
> going in or out via FTP is to interpose a block and have an application
> gateway that logs traffic. The DEC FTP gateway also lets the firewall
> manager select what to log, and gives the ability to block certain
> commands directionally, depending on who is talking to whom.
> 	Virii are a whole 'nother, very, very tricky issue. With all
> the zillions of ASCII encodings of binaries and with the ability to
> Email stuff, it's almost impossible to prevent people from bringing
> in virii, other than through educating them.
> mjr.
>-- End of excerpt from Marcus J Ranum

I have always found that (and I am using DEC's SEAL, and no, they are not
paying me to say this...) education (and a little economic persuasion, ie
you need permission from a senior manager to use the ftp facility, and if
_your_ efforts cause the infection of the net, then your cost center
gets charged for the cleanup...) tend to keep the noise level and problems
down.  I am pleased with the level of logging (down to the userid, target
host, cd, get, put, bin, etc. level) that this product provides.  Even
tracks the # bytes across the firewall...

Or (sorry, marcus, I couldn't resist...:-)) as a Japanese strategist
once stated: "In large scale strategy, when the enemy embarks on an attack,
if you make a show of strongly suppressing his technique, he will change
his mind...--Miyamoto Musashi"

Bryan D. Boyle  <><         |Physical: Exxon Research, Annandale, NJ 08801
#include <disclaimer>       |Logical: bdboyle @
 erenj .
<     USENET: Post to exotic, distant machines.  Meet exciting,      >
<                 unusual people.  And flame them.                   >

Indexed By Date Previous: Re: X traffic, academic environments
From: Mike Robitaille <miker @ jupiter . fuentez . com>
Next: Re: Internally initiated outbound X traffic
From: smb @ research . att . com
Indexed By Thread Previous: Re: Is there an FTP client that logs activity?
From: Marcus J Ranum <mjr @ TIS . COM>
Next: Re: Firewalls Digest V2 #64
From: "R.L.Palasek (510)422-8527" <PALASEK @ addvax . llnl . gov>

Search Internet Search