Firewall monitoring policies

Stephen W. Thompson thompson at
Tue Mar 5 17:30:57 GMT 2002


Some unpolished thoughts --

I find the situation to be very different depending on whether the two
networks were previously INTERCONNECTED with no restrictions and you
are now applying a security policy versus two networks that were NEVER
CONNECTED that now will be connect but guarded by the firewall.

The first option allows you greater leeway, I think.  It would seem a
sound approach to start with some level of in-house monitoring and log
reading to get a feel for volume, patterns, needs for security policy
modifications, try interim procedures, etc.  If it seems within your
workload, keep it.  If not, outsource it.

With the second option, there would be greater expectation, I would
guess, for no major mistakes to be made and no learning curve.  Then
you might benefit from hiring someone else, rather than needing to be
perfect right out of the gate.

Good luck!

En paz,

> 		I have 3 days to put together a proposal/policy for managing a
> firewall between our academic and 'corporate'  networks.
> The major issue I have to address is what level of monitoring should we
> have.  One of the senior managers has proposed that we contract a
> security firm to provide 7x24 hour monitoring of the firewall, at
> considerable expense.  I believe that this is overkill and that daily 
> checks of the logs would be adequate.
> As I see it the critical issues is how important is it to respond to
> quickly 'incidents' that might be detected by the firewall and how
> likely is it that real attacks will actually be detected.

Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson at    URL=
  For security matters, use security at, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

More information about the unisog mailing list