Firewall Wizards mailing list archives
RE: RE: IDS (was: FW appliance comparison)
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 25 Jan 2006 16:39:46 -0500
-----Original Message----- Subject: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
It's not an argument against logging, it's an argument against logging
everything you could
ever possibly log. The delta between "I'm sorry we don't keep that data,
it's transient"
and "let us see what we have that matches that criteria" can be *very*
costly in terms of
simple people time. Now put yourself in Yahoo's shoes and ask yourself how much actual
business they'd get done
if they stored everything they could possibly store. I guarantee you it'd
be less than they
get done today and it'd take them more people, more storage and the cost
of storage for
preservation letters alone would be pretty damn impressive.
Logging and storing are two different things. For instance, we don't maintain backups of raw firewall logs. The logs roll over when they roll over. But our analysis tool snarfs copies of firewall logs into a database, creates lots of cool meta-data, and preserves the log data online for 30 days. After that, depending on what happens to it along the way, it ends up in one of 3 possible 'storage' scenarios, the final destination for one of which is /dev/null. Given the data source and time frame, I can tell you whether or not I still have that data and where it's stored pretty much off the top of my head and certainly faster than any single attorney can throws subpoenas at me. And this is all with off-the-shelf software. I guess where I'm going with this is that just because you don't want to bear the expense of having to search through all of the data that you store in the event of a subpoena doesn't mean that you don't - or can't afford to - bear the responsibility to analyze as much data on your network as you can. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: IDS (was: FW appliance comparison), (continued)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Feb 01)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Feb 01)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Bill Royds (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Paul Melson (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Paul Melson (Feb 02)
- Re: RE: IDS (was: FW appliance comparison) david_harris (Feb 02)
- Re: RE: IDS (was: FW appliance comparison) ArkanoiD (Feb 02)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Feb 01)