Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
Brought to you by:
eychenne
Menu
▾
▴
Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
|
From: Herve E. <rv...@wa...> - 2003-05-07 20:20:35
|
On Wed, May 07, 2003 at 11:34:55PM +0200, Friedhelm Düsterhöft wrote: > > As you know, a serious security policy is "allow a few connections, > > drop all the rest", and it doesn't make much sense to log what is > > accepted (at least at the filter level). > > So... of course you can use values provided by a firewalling tool for > > accounting, but if it's not for firewalled (understand blocked) > > connections, it's generally a bad idea. > I do understand your point of view, but the question who is > consuming all of your bandwidth is security related, too. > Furthermore, ip accounting could help spotting weak filtering rules. > As the firewall is (should) be the central place where all traffic > arrives it is an ideal location for collecting traffic data. Yes it is. But a firewalling _tool_ is IMHO not the place to do that. I mean, accounting for the traffic that will be dropped can only be done at the firewalling level for self-evident reasons. But traffic passing thru could (and indeed should) be accounted at the next level. Note that it wouldn't prevent the firewalling tool from doing some lightweight accounting on allowed traffic to optimize rules ordering (if traversal if sequential). But in any case, logs in text format are not the best way to do accounting, as they are much too heavy and cumbersome for that purpose. > Convinced? Well... not really. ;-) Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
