Aron Roberts wrote:
> The minimum standards implementation guidelines
> <http://security.berkeley.edu:2002/MinStds/Firewalls.html> require that
> host-based firewall software be capable of, and configured to, "log
> inbound and outbound blocked packets."
That's not quite my reading of that page. The page states that the ICF
must be configured in such a way, but I don't interpret that that any
firewall MUST be configured to log all inbound and outbound packets.
However, they do need to be capable of doing so.
Such a firewall policy is dangerous, as it can greatly magnify the
deleterious effects of a DoS attack (especially a SYN flood) or even
agressive port scans. Having to log thousands or tens of thousands of
packets per second can greatly slow down a machine and can cause disk
space exhaustion--again greatly exacerbating the effects of a DoS
attack. I have had various experiences with this, and I know that it
can happen in real life.
Some firewalls are now capable of throttling logging or limiting it.
ipfw, on which the Mac OS X integral firewall, can be hard-limited to
100 logging entries per rule. However, that means that once the 100
entries are reached, that rule will never log again until a command is
sent to ipfw to reset the counter or the machine is rebooted. (I don't
know how to impose this limit in Mac OS X, only FreeBSD.)
Of course, not all host-based firewalls can do log throttling, and even
in the presence of such a feature, there may be very good reasons not to
do logging. I can't think of any rationale to mandate logging as part
of minimum standards, but I'd like to pose that question to CISC, as I
may be missing something. It is very helpful to do logging and it is
considered a best practice to log extensively when a firewall is first
set up, or when new rules are added, so that their effects can be seen.
Also, whenever a problem arises that requires troubleshooting, the
firewall log should usually be one of the first things activated. So
it's easy to see why such a capability should be mandated, but when the
firewall is known to be working properly and no network problems are
seen, turning off logging could go a long way toward saving your butt.
michael
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Thu May 19 12:06:23 2005
This archive was generated by hypermail 2.1.8 : Thu May 19 2005 - 12:06:23 PDT