[unisog] Firewall monitoring policies

Patrick O'Callaghan poc at usb.ve
Tue Mar 5 12:51:58 GMT 2002

On Mon, 2002-03-04 at 23:59, Russell Fulton wrote:
> Greetings All,
> 		I have 3 days to put together a proposal/policy for managing a
> firewall between our academic and 'corporate'  networks.
> The major issue I have to address is what level of monitoring should we
> have.  One of the senior managers has proposed that we contract a
> security firm to provide 7x24 hour monitoring of the firewall, at
> considerable expense.  I believe that this is overkill and that daily 
> checks of the logs would be adequate.
> I also have serious doubts about how we are going to define an action
> policy for the monitors use. i.e. a list of senarios and actions to be
> taken by the monitoring firm (this is the basis of the monitoring
> contract) particularly in view of the fact that this is an academic
> network with all sorts of unpredictable stuff floating around.
> Unfortunately this has been sprung on me at the very last moment before
> the firewall is due to go into service, hence the tight deadline.
> As I see it the critical issues is how important is it to respond to
> quickly 'incidents' that might be detected by the firewall and how
> likely is it that real attacks will actually be detected.
> If anyone has any policies that they can let me have or pearls of
> wisdom, or even wild ideas I would be extremely grateful to have them

We have firewalls (home-grown) between the admin systems and the rest
of the network, and we get by just by keeping tabs on the logs. We
haven't had any trouble so far but a lot will depend on the general
level of hostility in your environment.

Your solution will also vary depending on what the main purpose
of the firewall is: is it to enable the bureaucrats on the corporate
network to surf the Web like normal people, or is to allow
outlying workers and road warriors to get to the admin systems?

In the former case, it might be enough just to filter everything
except HTTP and the mail protocols (not foolproof but a firewall
isn't going to stop a virus in any case).

In the latter scenario you'll want to be putting in a VPN so the
firewall is simply part of "defense in depth".

And of course you need to evaluate your risk. What's the worst that
can happen and how much would it cost to fix?

Sorry for the handwaving but so much depends on what exactly
you want to do.



Prof. Patrick O'Callaghan <poc at usb.ve> <http://www.ldc.usb.ve/~poc>
Director de Servicios Telemáticos (Director of Telematics Services)
Universidad Simón Bolívar, Caracas, Venezuela             | "Errare
Tel: +58 (212) 906-3200, 3201; FAX: +58 (212) 906-3202    | uHmanum
NIC handle: PO22-ARIN        (Postal address on request)  |   Est"

More information about the unisog mailing list