Firewall Wizards mailing list archives
Re: RE: IDS (was: FW appliance comparison)
From: <chris () blask org>
Date: Tue, 24 Jan 2006 22:40:31 -0800 (PST)
At 12:24 AM 25/01/2006, Marcus J. Ranum wrote: Cat Okita wrote:
Would you care to elaborate on the way that you handle the vast amounts of data that you collect, then? Sorting the gold from the dross is a monumental challenge on a good day.
Like he says. <lights cigarette, leans on post while Marcus paces and gestures>
Use an artificial ignorance to weed out the majority of it, then revector stuff that should be counted and quantified into a
.d.
For truly huge amounts of log data, you can use hardcoded tools and get amazing data rates out of them; for example, building a parse-tree out of nested calls to sscanf using the magic %n operator to offset directly into the last match.
Computers are fast and people are smart. When you break down the logical structure of the problem you find that there are not significant hurdles that can't be knocked down with the usual brow sweat and frayed nerves of any technical endeavor. Once you accept the idea that your operational goal is to monitor the living bejesus out of everything, the model changes. *Since* you can see everything (and if you can't you'll fix it), you can focus on dealing with what is happening, make more intelligent forecasts for planning, look back at what happened for analysis and reporting and basically take a more strategic role in making a network secure.
System log processing remains a backwater in spite of the recent interest in the topic thanks to HIPAA and whatnot.
It's the calm before the storm. More people need to (and will) contribute to the effort before it's really mature.
www.loganalysis.org has some resources on some of this stuff. But it remains the land of do-it-yourselfers because log data is very site-specific. On the other hand it's not freakin' rocket science; if you just sit down and start eyeballing the stuff you'll get an idea what you need for your site within an hour or 2.
Agreed. It has gotten to the point that when I see each new network it feels like 1995 ("well - since you've done *nothing*, and I can telnet directly into the middle of your network from home, and you make parts for manned spacecraft - any firewall might be a good start"). Except now it's: "Well, since you have no way to see even the *slightest* bit of what the hell is happening on your network while we're standing here drinking bottled water, even a crappy [within limits] SIM solution is probably a good idea." It is worth the effort to find a way to Manage the Information about the Security of your network (a SIM by any name would smell so sweet...). The SIM vendorsphere is completely fubared (venodrs are easily recognizable: they're the ones saying, "well, we're not a *SIM*, we're a ....") , but there are workable bits of technology out there. Applying some of the products and processes available is a good start. As always with fundamental shifts, it will take time for the solution providers to make the solutions fully respectable, but it will take time for the consumers to work through adoption pains as well so IMHO current solutions are fit for early adoption in volume. By the time a company today adopts and deploys a solution to the point of being sore about solution shortcoming, they will have benefited directly from the effort, they will be better positioned to ask intelligent questions of the providers, and the solution choices will be richer. -cheers! -chris [So, Paul. Obviously I'm still sending html, eh?] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: IDS (was: FW appliance comparison), (continued)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Joseph S D Yao (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 25)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 27)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 26)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Christine Kronberg (Jan 24)
- Message not available
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 25)