Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- From: "Paul D. Robertson" <paul@xxxxxxxxxxxx>
- Date: Wed, 25 Jan 2006 08:08:47 -0500 (EST)
On Wed, 25 Jan 2006, Marcus J. Ranum wrote:
> Paul D. Robertson wrote:
> >No, there's another reason not to collect it; Everything you collect
> >under almost all evnironments is ultimately legally discoverable.
>
> That's the dumbest argument against logging I've ever heard. :(
It's not an argument against logging, it's an argument against logging
everything you could ever possibly log. The delta between "I'm sorry we
don't keep that data, it's transient" and "let us see what we have that
matches that criteria" can be *very* costly in terms of simple people
time.
If you don't believe that, look at service provider lawsuits in the last
5-10 years, and look at how companies like Yahoo are getting away with
being able to *charge* for civil subpoena compliance. Think they make a
profit on that?
Now put yourself in Yahoo's shoes and ask yourself how much actual
business they'd get done if they stored everything they could possibly
store. I guarantee you it'd be less than they get done today and it'd
take them more people, more storage and the cost of storage for
preservation letters alone would be pretty damn impressive.
Remember, every time one of Yahoo's customers gets murdered in the US,
Yahoo is dealing with preservation letters, subpoenas, and other record
requests. Now, have them log every packet ever, and keep it all for
analysis and see where that leads them- becuase I assure you that it
wouldn't be pretty, dumbest idea ever against logging every packet or not.
> If it existed in your network in some form or other such that it
> was transferred and could be logged, it's already legally discoverable.
There's a reason IBM had Notes set to expire mail every 30 days. It's
kept even the over-volumous SCO discovery stuff a lot shorter than it
would have been otherwise (and yes, that's including the fact that it's
gone on seemingly forever.)
> It just becomes a question of how. Yes, you can carefully construct
> your Email system to not retain anything but can you carefully
> construct your users so they don't? Can you construct your
It doesn't matter that you can't do it perfectly, it may matter simply
that you don't store everything as a matter of course.
> backup system so that only the "right" data is non-transitory?
> Can you make your staff subpoena-proof? etc. That's where you
> are much more likely to have problems, not in your logging system.
That depends totally on what you do, what the opposition is trying to
discover, and how vulnerable you are to fishing expiditions. If you don't
log it as a matter of purpose, then it's at least mostly transitory unless
it's a store-and-forward type communication.
The difference between a machine record (admissible) of everything that
ever went on your network and testimony can really make a difference in a
lot of packet-chasing lawsuits. It's also signifcantly different in terms
of what you might have to store, report on, be able to redact information
from, etc.
Go ahead, store every IM in and out of a large organization, log every
sender, recipient, message, IP address, etc. Then, once you have to start
dealing with every civil suit between employee and spouse, tell me how
productive you're being. Once you have to produce everything every time
you get a wrongful dismissal case, tell me again how productive it is-
especially if someone in a happens to win one because some dimwit in
management IM'd the wrong thing to his golf buddy. Now extend that out
ten years and put it all on backup tapes and start thinking of how much
work you're gonna have.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- From: Brian Loe
- Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- References:
- Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- From: Marcus J. Ranum
- Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- Prev by Date: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- Next by Date: Re: [fw-wiz] Recommendations on modeler/change manger for PIX & FWSM
- Previous by thread: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- Next by thread: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
- Index(es):
Relevant Pages
|
