Re: [fw-wiz] RE: IDS (was: FW appliance comparison)

On 1/30/06, Marcus J. Ranum <mjr@xxxxxxxxxxxxxxxxxxx> wrote:
> Thank Goodness.

I hate laughing at my own expense.

I apologize for not knowing all of the question to ask before I asked
the quesiton. Then again, it sounds to me as though this is the kind
of question that can only be asked fully via a contract for your
services, as you said it's quite site specific.

> Brian Loe wrote:
> I guess that's where I was coming from, too. You seem to think
> this requires a great deal of resources and I doubt it does. You
> seem to think this requires a great deal of money and I doubt
> that, too. But I'm not the guy on the ground, so I'm absolutely
> sure there are "details" that complicate or change the situation
> a great deal.

If only one of us can be right, my money is on you. Just the same, I
sometimes need to be slapped with the facts of a situation before it
sinks in. I WILL be trying this again so its just a matter of how and
when...I'm hoping for more of the how first though. I finally read the
entire reply before writing my own so I'm still hopeful.

> I answered that question in my previous post but here it is
> again:


> I (again) suggest you take a look at the NBS powerpoints that
> I mentioned in my last posting.

I guess I have to apologize again - same as before, but add that I
must be a little slow. I also haven't found the time to review your
previously posted link. My bad, I should have waited to respond until
I had I suppose. I WILL today.

> Something that seems to be lost here though is that when I was saying
> >a Gig an hour, that was in compressed format.
> It didn't get lost; you never said it. You didn't mention the
> ninjas in your computer room either. :) But what's an
> order of magnitude between friends?

See previous apology. If I knew everything to tell you though, I must
re-iterate, I would probably know enough to not have to ask the
question in the first place.

> Seriously, though, 1 gig of compressed data per hour
> means a bunch of different stuff; namely that you were
> compressing it (which is fairly CPU and memory intensive)
> on the fly -- so you could just as easily be doing something
> else with it like running it through a stoplist or something
> to prune out the stuff you know is garbage. Yes, that is
> site-specific stuff and to do it right we're talking a little
> bit of programming -- not rocket science type programming;
> more like an awk script.

Seriously, seriousness was the goal, all the kidding (on your part) aside.

> Did it only have a gig of disk space?? Most logservers roll the log
> when the disk is full.

I was following the directions of a "solution" I had found on the 'net
using syslog-ng and a php web interface. I'm figuring linux out as I
go on this, so I'm sure there were all kinds of tweaks i could have
made but didn't. Just takes time. Also sounds as though I were going
the absolutley wrong direction for the amount of data I need to deal
with anyway.

> When I read observations like the one above, I can tell that
> you have decided in advance that this problem is going to
> defeat you. You're just looking for excuses. Hey, it's OK,
> you don't have to do that. It's not our problem, we don't care,
> and we don't need to know why you're not going to do it.

That's not even funnin' now. It is your business. What any of us do
for security in our networks DOES matter to the rest of us. Why have
this list if sharing knowledge isn't the goal.

Furthermore, you have not reached through the 'Net and looked me in
the eye, read my mind and come to a proper conclusion. If it were even
possible for you to do the bulk of that, you'd have obviously failed
in your conclusions. If I were as you say, I wouldn't have bothered to
ask in the first place. I'm not such a fool that when I think a thing
can't be done, like storming a beach in the pacific with thousands of
defending japs, I walk into a local VFW bar and begin to explain how
come to the patrons. Nor am I so lonely that I would do such a thing
for just the conversation...maybe if you were buying the beer...
firewall-wizards mailing list