Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
Brought to you by:
eychenne
Menu
▾
▴
Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
|
From: <fd...@ms...> - 2003-05-08 11:26:48
|
----- Original Message ----- From: "Herve Eychenne" <rv...@wa...> To: "Friedhelm Düsterhöft" <fd...@ms...> Cc: <wal...@li...> Sent: Wednesday, May 07, 2003 10:21 PM Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > Yes it is. But a firewalling _tool_ is IMHO not the place to do that. > I mean, accounting for the traffic that will be dropped can only be > done at the firewalling level for self-evident reasons. > But traffic passing thru could (and indeed should) be accounted at > the next level. True and false. If your network is accounted by an upstream ISP this ISP doesn't care about if you block a packet or not - you have to pay for all traffic. So accounting on the next level is too late. If you have more than one border you have to grab the stats from different devices. > > Note that it wouldn't prevent the firewalling tool from doing some > lightweight accounting on allowed traffic to optimize rules ordering > (if traversal if sequential). That's what I ask for: lightweight accounting. > > But in any case, logs in text format are not the best way to do accounting, > as they are much too heavy and cumbersome for that purpose. Sure they aren't. But when you using Cisco it seems to be the only practical way. Perhaps you know how to do accounting via SNMP on a PIX? For an IOS Router it can be done. However it would not give you the port numbers. So all you can see is how many bytes are transfered between 2 addresses. You say tacacs? This will give you all accounting details - but only for authenticated connections! If you know any other resonable way to do ip accounting I would love to hear about it. > > > Convinced? > > Well... not really. ;-) > Now? > > Herve > Friedhelm |
