RE: [fw-wiz] PIX Logging Analysis

From: Paul Stewart (pauls@nexicom.net)
Date: 03/05/03

  • Next message: John Adams: "Re: [fw-wiz] PIX Logging Analysis" 
    From: "Paul Stewart" <pauls@nexicom.net>
To: "'Dave Rinker'" <firewall@dsrtech.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 5 Mar 2003 15:03:46 -0500

    Thanks very much.. I'd love to see a copy of your configs as I'm having
    problems with 6.2 and DSL right now. I highly agree that even with lots of
    automation that a human is needed hence why we'll charge a good fee
    monthly..:) And, thanks for the link to ipaudit.. Sounds like what we're
    looking for..

    Take care, 

    ---
Paul Stewart
Network Solutions Specialist
Nexicom Inc.
http://www.nexicom.net/
(705)932-4127 Office
(705)932-2329 Fax 
-----Original Message-----
From: Dave Rinker [mailto:firewall@dsrtech.com] 
Sent: Wednesday, March 05, 2003 2:16 PM
To: firewall-wizards@honor.icsalabs.com
Cc: pauls@nexicom.net
Subject: Re: [fw-wiz] PIX Logging Analysis
you need people to look at the logs  :)
I use ipaudit-web  http://ipaudit.sourceforge.net/ipaudit-web/
for looking at realtime traffic, snort for IDS behind the FW
http://www.snort.org/ , modular syslog to log to a mySQL server
http://sourceforge.net/projects/msyslog/ in addition to flatfile syslog on
the server.
The ipaudit is excellent, I just caught a virus flooding UDP port 137
outbound and squashed it. (unfortunately I can't lock the host up to prevent
the user from shutting off virus protection at the moment)
Snort is good but you will get alot of false alarms that if given to your
customer will cause panic. Which might be a good thing but be sure to get
paid by the hour not the job, so when they call you can charge them. :)
msyslog has worked really well to examine the logs through a php web
interface. this will enable you or your customer to see if ports are blocked
by source or destination and make the appropriate changes.
the flatfile syslog is good just for your own records. I rotate mine daily
and gzip them to save on space, later zcat to view them.
you can give them all sorts of fancy interfaces but you will still have to
have someone sort through the data. Unless I'm wrong which I hope I am and
someone on this list gives me/us an alternative.  :)
btw, if you need the dsl config for the pix, post to the list and I'll cut
and paste mine. both dynamic and static configs. cisco is also coming out
with a NAT/PAT IPSec pass through in the next version (6.3). I'm trying to
get the beta now from my rep. to test it.
best of luck to you.
On Tue, 2003-03-04 at 20:17, Paul Stewart wrote:
> HI everyone..
> 
> I'm new to the list and apologize if I'm asking a dumb question..:)
> 
> We are looking at deploying Cisco PIX 501's for some smaller customers 
> connected via DSL.  Their requests vary from wanting basic information 
> on what we are protecting them from using a PIX right up to one 
> customer who would like real-time or even within a few hours a listing 
> of what all their employees are doing on the Internet.
> 
> Hopefully someone will tell me that open source solutions exist for 
> Linux.. At least I can hope... At the moment I am syslogging 
> everything back via UDP but what exists to analyize this data?
> 
> What is everyone using for this purpose?  We may find that we will 
> offer them a managed firewall solution and they receive daily email 
> notices on what we have done for them?  I'm not sure of the best 
> solution and am open to ideas...:)
> 
> Thanks,
> 
> Paul Stewart
> 
> 
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: John Adams: "Re: [fw-wiz] PIX Logging Analysis"

    Relevant Pages

    • Re: Ol Gar fights AT&T and gets whupped!! [long]
      ... The dish still works, but if I can get DSL, I can get twice the ... The equipment cost is in the low thousands. ... smaller cables are spliced into a single bigger cable going back towards ... Plus a few hundred per actual customer. ...
      (rec.outdoors.rv-travel)
    • Re: Ol Gar fights AT&T and gets whupped!! [long]
      ... The dish still works, but if I can get DSL, I can get twice the ... No, for DSL to work they have to install equipment both in the field near your service area, in weather proof huts or underground vaults and inside the central office. ... smaller cables are spliced into a single bigger cable going back towards ... Plus a few hundred per actual customer. ...
      (rec.outdoors.rv-travel)
    • Re: [fw-wiz] Ok, so now we have a firewall, were safe, right?
      ... >They understood what they were doing- ordering DSL service. ... >think that absolving vendors of any of the downfall of their products is ... label on it for the customer to peel off and ignore. ... there is a true path, ...
      (Firewall-Wizards)
    • Re: Problems with SBC ADSL services
      ... I suspect the customer has problems with the ... The DSL should not interfere with the alarm as ... > line seizure' unless you aren't running line seizure and are using the ... standard plugin filter will not remove the jackhammer sound and the ...
      (alt.security.alarms)
    • Re: Low-cost dedicated FreeBSD server or non-jail VPS?
      ... situation bite a customer of mine not too long ago. ... server out of their office on DSL with a static IP through Speakeasy (a ... Speakeasy informed them that the people that owned the lines ... had sold them to Verizon and that they would have to switch DSL ...
      (freebsd-questions)
    • Quantcast