RE: Statistics for Firewalls

[John Adams <jna-dated-1032202478.26c83c () retina net>]

On Wed, 11 Sep 2002, Joe Matusiewicz wrote:

> I think it's marvelous.  The only problem I had with it was on one of my 
> networks.  The firewall there averages 70,000 simultaneous connections and 
> ntop keeps a record of all the ip addresses that goes through the 
> network.  Keeping track of so many addresses bogged down the hash memory so 
> much until ntop was unusable. :(  I wound up using iptraf there.
>
> But ntop works great everywhere else I put it.

I had similiar problems with ntop. What I usually do is to filter out of 
the traffic I deem useless with a tcpdump expression.

For example, do you really need to know every DNS connection? Hell no, 
filter that. Filter NNTP. Filter all SMTP that isn't bound for your main 
mail server. Filter out NetBIOS. 

Watch only the items under NTOP that you can actually do something about
(KaZaa, File Sharing, etc.) and ignore (or just log) the rest. We were
able to increase our network peformace by going after people who were
using serious amounts of bandwidth and have some idea of what the general
picture of network traffic was like using NTOP, but it really can't be
used as a complete solution, as the amount of data is akin to drinking
from a firehose.

-john

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards