Developing Logging and Notification Policies
User Guide
201
and denied packets, and not logging allowed packets.
Allowed packets should not be indicative of a security
threat. Furthermore, allowed traffic usually far exceeds the
volume of denied traffic and would slow response times as
well as causing the log file to grow and turn over too
quickly.
WatchGuard provides the option to log allowed events pri-
marily for diagnostic purposes when setting up or trouble-
shooting an installation. Or, you might have a situation
such as a very specialized service that uses an obscure,
very high port number, and the service is intended for use
only by a small number of people in an organization. In
that case you might want to log all traffic for that service so
you can monitor or review that service activity.
Not all denied events need to be logged. For example, if
incoming FTP denies all incoming traffic from any source
outside to any destination inside, there is little point in log-
ging incoming denied packets. All traffic for that service in
that direction is blocked.
Notification policy
The most important events that should trigger notification
are IP options, port space probes, address space probes,
and spoofing attacks. These are configurable in the
Default
Packet Handling
dialog box, described in “Default Packet
Handling” on page 178.
Other notifications depend on your Firebox configuration
and how much time is available for interacting with it. For
example, if you set up a simple configuration that enables
only a few services and denies most or all incoming traffic,
only a few circumstances warrant notification. On the other
hand, if you have a large configuration with many services;
with many allowed hosts or networks for incoming traffic;
popular protocols to specific, obscure ports; and several fil-
tered services added of your own design; you will need to
set up a large, complex notification scheme. This type of
configuration is more vulnerable to attack. Not only are
Summary of Contents for Firebox X1000
Page 1: ...WatchGuard Firebox System User Guide WatchGuard Firebox System...
Page 12: ...xii WatchGuard Firebox System...
Page 44: ...Chapter 2 Service and Support 22 WatchGuard Firebox System...
Page 61: ...Cabling the Firebox User Guide 39...
Page 68: ...Chapter 3 Getting Started 46 WatchGuard Firebox System...
Page 78: ...Chapter 4 Firebox Basics 56 WatchGuard Firebox System...
Page 156: ...Chapter 8 Configuring Filtered Services 134 WatchGuard Firebox System...
Page 182: ...Chapter 9 Configuring Proxied Services 160 WatchGuard Firebox System...
Page 220: ...Chapter 11 Intrusion Detection and Prevention 198 WatchGuard Firebox System...
Page 242: ...Chapter 12 Setting Up Logging and Notification 220 WatchGuard Firebox System...
Page 256: ...Chapter 13 Reviewing and Working with Log Files 234 WatchGuard Firebox System...
Page 274: ...Chapter 14 Generating Reports of Network Activity 252 WatchGuard Firebox System...