Unknown wrote:
>
> Correct me if I am wrong, please.
>
> This discussion is whether adding perl/c compilers to the firewall machine
> is an additional security risk in your architecture. Well, picture this: in
> your scenario somebody has just compromised the most hardened, best
> monitored host on your network, without you knowing about it. How hard do
> you think it would be for this individual, who has just hacked that
> ultra-secure machine, to reconfigure it, and upload binaries for what he
> needs. Let's take this into perspective. If somebody had sufficient skill
> to compromise a properly configured firewall machine, getting stuff like
> compilers and perl installed on it would be a joke. However, having perl on
> that machine, actively scanning log files, could have stopped the intruder
> dead in his track.
>
> Although I strongly believe in defence in depth, I don't believe that not
> having perl on a firewall is a sufficient additional security measure to
> warrant being called an extra layer. At this point, it is nothing but a
> VERY minor annoyance to the intruder, one he would be able to bypass quite
> easily. On the other hand, those perl programs parsing your log files could
> have alerted you of the break in in the first place. You decide.
I don't see how this would provide any higher level of security than
having the logs sent to a separate internal machine. I do that log
file scanning on a different machine. All of the log information
generated by the firewall is sent to another machine in real time where
it is analyzed in both real time and batch modes. Sure the intruder
gets into the firewall, but the tracks that need to erased are all on
another machine. Sure I keep log files on the firewall, but I don't
look at them except to see if what the logger machine has jibes with
the firewall or other machines in the network.
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
