Re: [fw-wiz] RE: IDS (was: FW appliance comparison)

On Tue, 24 Jan 2006, Cat Okita wrote:
> On Tue, 24 Jan 2006, Marcus J. Ranum wrote:

>> If your firewall bogs down because of a little bit of logging it is
>> a POS and should be used as a flower planter, not a security
>> device.

> Oh - I agree completely. If my firewall bogs down because of a little
> bit of logging, it should be pushing up daisies.

> ... but I'm not thinking of a 'little' bit of logging. I'm thinking of
> "look at everything that could -possibly- be of interest".

... and everything *is* of interest. Everything that is happening and has happened on a network is descibed in glorious detail by the logging of the devices and applications that make up that network. The only reason not to focus on producing that telemetry and making sense of it is because there is too much, which becomes a lame excuse after a long enough time.

Devices should be able to report on everything they do, there should be someplace to put all this stuff, and there should be tools to digest it appropriately. Some of the pieces necessary are coming together and it's generally the most usefull area to focus on.



firewall-wizards mailing list