[unisog] registering servers

Kim Cary Kim.Cary at pepperdine.edu
Fri Jul 28 14:34:57 GMT 2006


Tim,

We used some NetFlow with nfacctd/pmacctd (nice open source tools) to  
get our initial setup (along with a nice list from our Mgr of Server  
Engineering). You can use a netflow setup or Argus to get an intial  
idea of who is talking to whom.

However, our tuning setup was this:

1. Put the FW in place with 'permit all log at notice level' rule  
just ahead of the 'deny all log at debug' level rule.
2. Set your syslog server to put records from the notify level from  
the fw in a separate log.
3. Start adding your ACLs as permit log at debug.

Anything that shows up in the notify level log is traffic you wont be  
allowing when you pull the 'permit all' rule.

Keep adding ACLs until you're happy with what you see in the 'notice'  
log.

I hope have a paper out on this method by end of August, drop me a  
note if interested.

Kim Cary, Ed. D.
Infrastructure Security Administrator
M-F 7-4 ~ 310 506 6655


On Jul 27, 2006, at 7:13 PM, unisog-request at lists.dshield.org wrote:

> Message: 2
> Date: Fri, 28 Jul 2006 08:37:31 +1000
> From: "Tim Eden (te)" <te at unsw.edu.au>
> Subject: Re: [unisog] registering servers
> To: UNIversity Security Operations Group <unisog at lists.dshield.org>
> Message-ID: <44C9402B.5050309 at unsw.edu.au>
> Content-Type: text/plain; charset="iso-8859-1"
>
> To those people that have a default deny policy and spent time
> beforehand monitoring traffic and deciding which servers to allow
> through initially - what sort of tools/methodology did you use to  
> do this?



More information about the unisog mailing list