Re: [fw-wiz] Pix 535 Logging

["Behm, Jeffrey L." <BehmJL@bv.com>]

MJR-like Rant: Best practices would include blocking *everything* outbound that you don't explicitly want going out. In an educational environment, you might not be able to block, but in a corporate environment you should be able to. At a minimum, logging this traffic can help you understand where you might need to block. Doing this helps prevent your internal machines from being poor "net neighbors" and blindly infecting others.

 

In response to the OP, you could allow your known email servers in a rule that doesn't log, and then have a second rule that (allows or denies based on your policy/environment), but log entries that match this rule.

---

From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of David Swafford
Sent: Wednesday, November 08, 2006 9:58 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: Re: [fw-wiz] Pix 535 Logging

Have you thought about just blocking all outbound port 25 connections except for your authorized MX and mail servers?  We did that at my company about a year back and eliminated the problem of infected machines flooding spam out from our network.

 

Just a thought,

 

David.

 

____________________________________________________

 

David A. Swafford, Network Engineer
Information Technology Team
Archbishop Alter High School

 

EC-Council Certified Ethical Hacker

 

A Cisco Systems, Inc., Certified Network Associate (CCNA)
and a CompTIA Network+ and Security+ Certified Professional

>>> james.burns@sunderland.ac.uk 11/8/2006 5:50 am >>>
Hi,

I have a quick question regarding logging on a Pix 535.

We're currently getting a lot of CERT notifications for spammers
operating within our network - mainly just students with 0wned machines,
but we're looking into ways to automate the procedure slightly.

Anyway, what I'm looking to do, and what I need help with.... I want to
know if it's possible to log all outbound port 25 connection attempts,
EXCEPT those that come from our authorised MX's and mail servers. AND I
would like to be able to do this in addition to the normal logging that
takes place.

So, is it possible?

Any thoughts and guidance you can provide are very much appreciated.

Cheers,
James

--
James Burns

Network Advisor - Student & Learning Support
University of Sunderland



--
University of Sunderland - life-changing: see our new TV advert at
http://www.lifechangingsunderland.com or http://www.sunderland.ac.uk
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

______________________________________________________

Founded in Faith - Preserved with Pride - Sustained by Spirit
______________________________________________________


Upcoming Events:
ALTER OPEN HOUSE
November 16
7 - 9 p.m.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards