Are There Risks in Sharing Firewall Logs? 26
FireballDWF asks: "What are the risks in sharing my personal Firewall logs with others? I ask as helping to put a stop to detect and stop attacks at their source by becoming an agent for MyNetWatchman sounds easy and appealing, but I am concerned about the possible risks." The MyNetWatchman service is designed to take a pro-active approach to network security. A network agent sits on a users firewall and forwards log entries to a central server that analyzes the data and warns the user if suspicious activity occurs. Sounds like a good plan, but what dangers (if any) will the users of this service be exposing themselves to by providing such access to their machines, even if they are just log files?
Not positive why, BUT... (Score:1)
Spending time on the firewalls list [gnac.net], they almost never keep their original IPs in the log snippets they post... From what I can gather it is because alot of them do internal routing, and don't want others to know their subnet ranges etc.
Merly postulating,
-Tammie
Justifications (Score:1)
There is some security in obscurity. (Score:2, Interesting)
I think the best security involves both encryption, AND obscurity. Stands to reason really.
Re:There is some security in obscurity. (Score:1)
I read it as meaning they're forwarding the logs to another server on the "internal" network, not the dirty network (i.e. internet etc). If you can't trust your internal network, what exactly can you trust?
Re:There is some security in obscurity. (Score:1)
As you can see from the MyNetWatchman [mynetwatchman.com] page, this information is explicitly shown as being sent across the internet.
Regardless of that, MyNetWatchman makes this information public - with some attempt at obscuring sensitive info.
See the FAQ [mynetwatchman.com].
Not the most clueful company on the planet... (Score:4, Insightful)
Re:Not the most clueful company on the planet... (Score:2, Insightful)
I might be just overly sure of myself here, but I've never felt the need to run any sort of firewall on my boxen, whether they run Doze or Nix. I don't recall ever having network-related trouble either. bahhh
Re:Not the most clueful company on the planet... (Score:1)
Re:Not the most clueful company on the planet... (Score:2)
The problem I have with the statement is that it's stupid. It's true, but it's irrelevant to the issue at hand. Your actual vulnerability is proportional to the number of listening ports on your machine, but that number bears no direct relationship to the size of the portnumber-field.
125.000 numbers. (Score:1)
On the other side they are missing all ICMP messages. (how many possibilties 2^16 again?).
DOS attacks can use ICMP message as well. It would be nice to detect them as well. If you have a lot of ICMP messages outgoing this should trigger a good log filter.
Or does your firewall aready filter ALL ICMP messages?
Re:125.000 numbers. (Score:1)
you say an connections is not an attack, how would you callit it if you get 100's of udp packts to port 1245 on your dailup line (and you have noting running on port 1245). Not interesting. (I am not interesting at all). But for the next Win95 luser this might be an real problem.
(And yes, lots of stray packets might cause me to die in a hardcore diablo game!)
But for the correctness of language you are correct. Also you can call the WTC "attack" an interrupted flight. that makes it sound much less interresting. 8-)
Re:Not the most clueful company on the planet... (Score:1)
I've had completely rewritten all of the reports that this page uses, however, I completely forgot to update this page to the new versions.
The should all work now.
http://www.mynetwatchman.com/vision.htm
Information is power (Score:5, Informative)
The long answer is NO. Information on your private network numbers should be on a need-to-know basis.
By posting your IP addresses to a public database (or a central service you don't control), an attacker could use this information against you, by checking the results of their scans against what you log.
Note that this is NOT obscurity. (Contrary to what a previous poster says.)
There is nothing wrong with sending filtered log reports (remove the IP addresses, and TCP info, like sequence numbers, if your software logs them) to a central DB.
Re:Information is power (Score:1)
I think there is no harm (Score:1)
That way, they can still do analysis, hacker at IP x.y.z.w is attacking [someone] at port P, but they don't get any detailed info about your setup.
myNetWatchman (Score:1)
I am very interested to hear your comments, and conerns. I would like to hear any suggestions to ease your fears to submit data to our site.
Using submitted data we have been able to identify new trends in attack data, and therefor find new worms etc. We actually discovered the W32.Leave.Worm.
I can definatly understand your fears to submitting log data however. Perhaps with your suggestions, we could modify the system to make it more appealing.
Drop my an e-mail at;
psychospy@fatelabs.com
with any suggestions or comments.
Yours truly,
Nathan Einwechter
(PsychoSpy)
Re:myNetWatchman (Score:1)
Re:myNetWatchman (Score:1)
My thoughts (Score:2)
Re:My thoughts (Score:1)
Re:My thoughts (Score:2)
Re:Alternative Recommendation (Score:1)