> surely it's safer for the internal servers to trust the firewall (i.e. <snip> > So, I'd say that RB is wrong and GK is right!
You guys' going ape over setting up pre-emptive regional block-lists shows rather clearly what the competition is; knowing that, I'm rather indifferent to what you think is right. You are correct; the application servers receiving the attacks and providing external services should never reach out and touch the firewall. However, if you carefully read what I posted, you'll notice I stated a 'trusted host'. Ideally, that means a configuration management server (separate from the log collection server) that trawls the application logs, makes the appropriate decisions, logs them, then issues the necessary commands to the firewall. If you must, you could play budget constraints and combine the log server and configuration management server, but that's about as much consolidation as appropriate separation would allow. All that said, it just sounds like re-inventing SnortSam; maybe you guys should look into it before chasing the bounty road too far. Packaging existing software will always be cheaper than reinventing the wheel with a new script. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
