Firewall Wizards mailing list archives
Re: RE: IDS (was: FW appliance comparison)
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 25 Jan 2006 08:08:47 -0500 (EST)
On Wed, 25 Jan 2006, Marcus J. Ranum wrote:
Paul D. Robertson wrote:No, there's another reason not to collect it; Everything you collect under almost all evnironments is ultimately legally discoverable.That's the dumbest argument against logging I've ever heard. :(
It's not an argument against logging, it's an argument against logging everything you could ever possibly log. The delta between "I'm sorry we don't keep that data, it's transient" and "let us see what we have that matches that criteria" can be *very* costly in terms of simple people time. If you don't believe that, look at service provider lawsuits in the last 5-10 years, and look at how companies like Yahoo are getting away with being able to *charge* for civil subpoena compliance. Think they make a profit on that? Now put yourself in Yahoo's shoes and ask yourself how much actual business they'd get done if they stored everything they could possibly store. I guarantee you it'd be less than they get done today and it'd take them more people, more storage and the cost of storage for preservation letters alone would be pretty damn impressive. Remember, every time one of Yahoo's customers gets murdered in the US, Yahoo is dealing with preservation letters, subpoenas, and other record requests. Now, have them log every packet ever, and keep it all for analysis and see where that leads them- becuase I assure you that it wouldn't be pretty, dumbest idea ever against logging every packet or not.
If it existed in your network in some form or other such that it was transferred and could be logged, it's already legally discoverable.
There's a reason IBM had Notes set to expire mail every 30 days. It's kept even the over-volumous SCO discovery stuff a lot shorter than it would have been otherwise (and yes, that's including the fact that it's gone on seemingly forever.)
It just becomes a question of how. Yes, you can carefully construct your Email system to not retain anything but can you carefully construct your users so they don't? Can you construct your
It doesn't matter that you can't do it perfectly, it may matter simply that you don't store everything as a matter of course.
backup system so that only the "right" data is non-transitory? Can you make your staff subpoena-proof? etc. That's where you are much more likely to have problems, not in your logging system.
That depends totally on what you do, what the opposition is trying to discover, and how vulnerable you are to fishing expiditions. If you don't log it as a matter of purpose, then it's at least mostly transitory unless it's a store-and-forward type communication. The difference between a machine record (admissible) of everything that ever went on your network and testimony can really make a difference in a lot of packet-chasing lawsuits. It's also signifcantly different in terms of what you might have to store, report on, be able to redact information from, etc. Go ahead, store every IM in and out of a large organization, log every sender, recipient, message, IP address, etc. Then, once you have to start dealing with every civil suit between employee and spouse, tell me how productive you're being. Once you have to produce everything every time you get a wrongful dismissal case, tell me again how productive it is- especially if someone in a happens to win one because some dimwit in management IM'd the wrong thing to his golf buddy. Now extend that out ten years and put it all on backup tapes and start thinking of how much work you're gonna have. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: IDS (was: FW appliance comparison), (continued)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Joseph S D Yao (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 25)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 27)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 26)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Christine Kronberg (Jan 24)
- Message not available
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)