Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are There Risks in Sharing Firewall Logs?

Posted by Cliff on from the looking-before-leaping dept.

FireballDWF asks: "What are the risks in sharing my personal Firewall logs with others? I ask as helping to put a stop to detect and stop attacks at their source by becoming an agent for MyNetWatchman sounds easy and appealing, but I am concerned about the possible risks." The MyNetWatchman service is designed to take a pro-active approach to network security. A network agent sits on a users firewall and forwards log entries to a central server that analyzes the data and warns the user if suspicious activity occurs. Sounds like a good plan, but what dangers (if any) will the users of this service be exposing themselves to by providing such access to their machines, even if they are just log files?

7 of 26 comments (clear)

  1. There is some security in obscurity. by Anton+Anatopopov · · Score: 2, Interesting
    For sure, it is better to have end-to-end strong encryption, but for some of us, that is impractical. I would be reluctant to share my logs with anyone, since it amounst to a 'customer list' of my organization.

    I think the best security involves both encryption, AND obscurity. Stands to reason really.

  2. Not the most clueful company on the planet... by Eivind · · Score: 4, Insightful
    • Visions says, among other things: With TCP and UDP alone there are over 125,000 possible ports that attackers could target.. Uhm, yeah. Portunmbers are 16 bit. So there's 65536 possible ports, times 2 if you count tcp and udp. I'm not so sure why this is relevant to anything though.
    • Their link to closed incidents Gives a: Microsoft OLE DB Provider for ODBC Drivers (0x80040E31) [Microsoft][ODBC SQL Server Driver Not very comforting.
    • Their domain name is really really dumb. :)
    • They claim 1200 active agents, and 87K reported incidents the last 24 hours. This is a really high level, and thus means the agent has to report back home every little detail that happens.
    On the flipside, they do have a privacy-policy clearly visible on their homepages, and they do support agents under many different OSes. So who knows, maybe they're actually clueful and just manage to come off as clueless.
    1. Re:Not the most clueful company on the planet... by billcopc · · Score: 2, Insightful

      Obviously you have to dumb it down if you want the masses to jump in. They won't score thousands of users if they say the truth : "True, there are 65536 ports, but at most you might have a dozen of then open. Of that dozen, there still isn't much an attacker could do. You might as well spend your time downloading more pr0n."

      I might be just overly sure of myself here, but I've never felt the need to run any sort of firewall on my boxen, whether they run Doze or Nix. I don't recall ever having network-related trouble either. bahhh

      --
      -Billco, Fnarg.com
    2. Re:Not the most clueful company on the planet... by Eivind · · Score: 2
      I have no problem with 2^17 being rounded to 125K at all. The problem is that this number is utterly irrelevant to security. Do you really think the internet would be more secure if portnumbers where 12bit ? Or that our current security-problems would seem tiny if the portnumbers where 32-bit ?

      The problem I have with the statement is that it's stupid. It's true, but it's irrelevant to the issue at hand. Your actual vulnerability is proportional to the number of listening ports on your machine, but that number bears no direct relationship to the size of the portnumber-field.

  3. Information is power by schon · · Score: 5, Informative

    If the question is "Should I send my logs unfiltered to a separate entity?" then the short answer is NO.

    The long answer is NO. Information on your private network numbers should be on a need-to-know basis.

    By posting your IP addresses to a public database (or a central service you don't control), an attacker could use this information against you, by checking the results of their scans against what you log.

    Note that this is NOT obscurity. (Contrary to what a previous poster says.)

    There is nothing wrong with sending filtered log reports (remove the IP addresses, and TCP info, like sequence numbers, if your software logs them) to a central DB.

  4. My thoughts by autocracy · · Score: 2

    I don't like the idea of handing off your logs to this automated system. I do like the idea of trading logs with different companies or IT people (non-competing and VERY trusted, with no other conflict of interest as well). And absolutely unfiltered so that certain risks can be found. This service you speak of, however, doesn't quite fit that criteria - you're not learning anything beyond what they tell you yourself via other's logs, and there is no mutual interest - a very dangerous thing.

    --
    SIG: HUP
    1. Re:My thoughts by autocracy · · Score: 2

      This is "there is a worm and I have logs of it - here" vs. "today's logs. more tommorow. enjoy the read." I'm talking about the latter...

      --
      SIG: HUP