I have a request to allow but log the following protocols from my inside network to the public internet.
Telnet (TCP 23)
FTP (TCP 21)
TFTP (UDP 69)
VNC (5900-590x)
SMB (TCP 445, 1137, 139, UDP 137, 138)
Kerberos (TCP 88, UDP 88)
LDAP (TCP/UDP 389)
I am trying to confirm it's it's better to set the logging level to debugging on my inside ip any any rule and filtering things out via splunk or if I should create a new rule with only those protocols and and change the logging level.
This is a Cisco ASA. I seem to think it's better to leave things the way they are now but then send them to splunk. My sec team is telling me to add a new rule. I'm thinking splunk may interpret the data the same. For example, source- ASA send logs to destination splunk. It's not going to see the separate rule on the ASA. The only benefit I see is there could be less noise by creating a separate rule.
Any recommendations and input is appreciated!
No comments:
Post a Comment