Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
Brought to you by:
eychenne
Menu
▾
▴
Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
|
From: E. <rv...@wa...> - 2003-05-08 11:28:03
|
On Thu, May 08, 2003 at 01:30:58PM +0200, Friedhelm Düsterhöft wrote: > > Yes it is. But a firewalling _tool_ is IMHO not the place to do that. > > I mean, accounting for the traffic that will be dropped can only be > > done at the firewalling level for self-evident reasons. > > But traffic passing thru could (and indeed should) be accounted at > > the next level. > True and false. If your network is accounted by an upstream ISP > this ISP doesn't care about if you block a packet or not - you have > to pay for all traffic. If your ISP makes you pay for the traffic, change your ISP. ;-) > So accounting on the next level is too late. That would mean you have access to your ISP firewalling logs. Frankly, I doubt about that. > If you have more than one border you have to grab the stats from > different devices. True. Use a "distributed" accounting tool, then. > > Note that it wouldn't prevent the firewalling tool from doing some > > lightweight accounting on allowed traffic to optimize rules ordering > > (if traversal if sequential). > That's what I ask for: lightweight accounting. As I said, text logs is not what I call lightweight... > > But in any case, logs in text format are not the best way to do accounting, > > as they are much too heavy and cumbersome for that purpose. > Sure they aren't. But when you using Cisco it seems to be the only practical > way. Are you sure? How do products as Firewall-I, for example? > Perhaps you know how to do accounting via SNMP on a PIX? For an IOS > Router it can be done. However it would not give you the port numbers. So > all you can see is how many bytes are transfered between 2 addresses. > You say tacacs? This will give you all accounting details - but only for > authenticated connections! > If you know any other resonable way to do ip accounting I would love to > hear about it. No I don't, and your point is valid. But finding a way to circumvent Cisco's insufficiencies is not a prioritary concern for me, as there are so many useful (I mean for firewalling in its very sense) and time consuming things to do before that. Identifying log messages related to denied or accepted packets is useful for firewalling. Identifying log messages related to the end of allowed connections (such as PIX-302014 msgs) is not directly useful, as this is pure accounting (which is now wallfire's initial goal). My time is already limited, so I won't do it myself. But maybe I'll be willing to integrate it if someone does the job. Or maybe you'll want to have a look at specific PIX log parsing tools... http://www.loganalysis.org/sections/parsing/application-specific/index.html Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
