Re: [fw-wiz] RE: IDS (was: FW appliance comparison)

On 1/25/06, Paul D. Robertson <paul@xxxxxxxxxxxx> wrote:
> On Wed, 25 Jan 2006, Marcus J. Ranum wrote:
>
> > Paul D. Robertson wrote:
> > >No, there's another reason not to collect it; Everything you collect
> > >under almost all evnironments is ultimately legally discoverable.
> >
> > That's the dumbest argument against logging I've ever heard. :(
>
> It's not an argument against logging, it's an argument against logging
> everything you could ever possibly log. The delta between "I'm sorry we
> don't keep that data, it's transient" and "let us see what we have that
> matches that criteria" can be *very* costly in terms of simple people
> time.
>
> If you don't believe that, look at service provider lawsuits in the last
> 5-10 years, and look at how companies like Yahoo are getting away with
> being able to *charge* for civil subpoena compliance. Think they make a
> profit on that?
>

Where I work, I'm not sure how we could do it. We're a transactions
company, and do thousands and thousands (and more at times) a second.
Debugging from ONE of our firewalls puts us int he gigabyte-per-hour
realm. I tried turning up a syslogging system here once... it died
three hours later. Maybe I wasn't using the greatest hardware,
database and reporting software - but where do you find that sort of
thing? With that much data, and 98% of it being useless, you kind have
to ask yourself, "what's the point?" IF we catch something it'll
probably still be too late - our IDS will have already been updated
with the new "something". I don't want to have to go to my manager and
say, "well, we spent 250k on a machine that would log every
transaction - no, sorry, PACKET - we ever passed and we still got
hacked because we didn't hire a new engineer to review the data
streaming out of the system and therefore see the new exploit in time
to shut it down. But, on the bright side, our 2k IDS system did
eventually begin blocking it from all but one customer site."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
    ... To run the transactions they have a VERY large mainframe. ... logging I'm lucky to have gotten (since they got it for free ... >> With that much data, and 98% of it being useless, you kind have ... > will usually get stupid results. ...
    (Firewall-Wizards)
  • Re: Thoughts on Logical Log use requested
    ... The onstat -l was taken today, the list of log times for Sunday follow that. ... Physical Logging ... So, you HAVE to have 51,250 minute transactions in an unbuffered logging ... Each transaction is using roughly 1k of log space ...
    (comp.databases.informix)
  • Re: No Logging for DTS Batch
    ... Allan Mitchell MCSE,MCDBA, (Microsoft SQL Server MVP) www.SQLDTS.com - The site for all your DTS needs. ... I have the import> working in DTS, but I DO NOT WANT IT TO LOG THE> TRANSACTIONS. ... > Alter table to add keys and clean data. ... > Where and how do I put in a commant to not log anything> in this transaction, yet maintain logging on any other> table in the database. ...
    (microsoft.public.sqlserver.dts)
  • Re: Domain Not receiving Mail
    ... Crank up logging. ... >We have one receipient that is not receiving any ... >transactions from our IP or domain - there has to be some messages on OUR ...
    (microsoft.public.exchange.admin)