Firewalls: To Log or Not to Log (or what to log!)

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	To Log or Not to Log (or what to log!)
From:	Edward Maillet <maillet @ doc . usmcs . maine . edu>
Date:	Fri, 28 Apr 1995 20:10:43 -0400 (EDT)
To:	firewalls @ greatcircle . com

Hey All,
 Given the following firewall layout, what systems should log what, if 
anything at all.


Internet ----> [A] ---- DMZ ----- [B] ---- Company
                     |       |
                     |       |
                    [C]     [D]

 where [A] and [B] are a filtering routers and provide ALL protection.
       [C] and [D] provide external services such as WWW, FTP and mail.
 No split DNS. (Safe?)
 No proxies or application level stuff. Proctection is purely filtering (Safe?)
 No Internet to Company traffic is allowed unless started by the inside. (e.g
  telnet from inside to outside but not vice versa)
 
 Must [A] and/or [B] log something for packets that are discarded?
 Should [C] and [D] log something for packets at "unexpected" ports?
 
 The question behind the questions:
  Is it considered risky if [A] and [B] cannot log anything?

----- Ed Maillet
maillet @
 usmcs .
 maine .
 edu

Indexed By Date	Previous:	Re: Telnet and Ftp From: Christopher Klaus <cklaus @ shadow . net>
Indexed By Date	Next:	Re: TRUST US From: joshua geller <alkahest!joshua @ dee . retix . com>
Indexed By Thread	Previous:	some remarks on the source and what it buys you - From: usts062 @ maze . dpo . uab . edu (Christopher Smith)
Indexed By Thread	Next:	Re: Telnet and ftp by E-Mail From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)