Firewall monitoring policies

Russell Fulton R.FULTON at
Tue Mar 5 03:59:56 GMT 2002

Greetings All,
		I have 3 days to put together a proposal/policy for managing a
firewall between our academic and 'corporate'  networks.
The major issue I have to address is what level of monitoring should we
have.  One of the senior managers has proposed that we contract a
security firm to provide 7x24 hour monitoring of the firewall, at
considerable expense.  I believe that this is overkill and that daily 
checks of the logs would be adequate.

I also have serious doubts about how we are going to define an action
policy for the monitors use. i.e. a list of senarios and actions to be
taken by the monitoring firm (this is the basis of the monitoring
contract) particularly in view of the fact that this is an academic
network with all sorts of unpredictable stuff floating around.

Unfortunately this has been sprung on me at the very last moment before
the firewall is due to go into service, hence the tight deadline.

As I see it the critical issues is how important is it to respond to
quickly 'incidents' that might be detected by the firewall and how
likely is it that real attacks will actually be detected.

If anyone has any policies that they can let me have or pearls of
wisdom, or even wild ideas I would be extremely grateful to have them

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list