Firewall Wizards mailing list archives
Re: RE: IDS (was: FW appliance comparison)
From: Brian Loe <knobdy () gmail com>
Date: Wed, 25 Jan 2006 09:54:31 -0600
On 1/25/06, Paul D. Robertson <paul () compuwar net> wrote:
On Wed, 25 Jan 2006, Marcus J. Ranum wrote:Paul D. Robertson wrote:No, there's another reason not to collect it; Everything you collect under almost all evnironments is ultimately legally discoverable.That's the dumbest argument against logging I've ever heard. :(It's not an argument against logging, it's an argument against logging everything you could ever possibly log. The delta between "I'm sorry we don't keep that data, it's transient" and "let us see what we have that matches that criteria" can be *very* costly in terms of simple people time. If you don't believe that, look at service provider lawsuits in the last 5-10 years, and look at how companies like Yahoo are getting away with being able to *charge* for civil subpoena compliance. Think they make a profit on that?
Where I work, I'm not sure how we could do it. We're a transactions company, and do thousands and thousands (and more at times) a second. Debugging from ONE of our firewalls puts us int he gigabyte-per-hour realm. I tried turning up a syslogging system here once... it died three hours later. Maybe I wasn't using the greatest hardware, database and reporting software - but where do you find that sort of thing? With that much data, and 98% of it being useless, you kind have to ask yourself, "what's the point?" IF we catch something it'll probably still be too late - our IDS will have already been updated with the new "something". I don't want to have to go to my manager and say, "well, we spent 250k on a machine that would log every transaction - no, sorry, PACKET - we ever passed and we still got hacked because we didn't hire a new engineer to review the data streaming out of the system and therefore see the new exploit in time to shut it down. But, on the bright side, our 2k IDS system did eventually begin blocking it from all but one customer site." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: IDS (was: FW appliance comparison), (continued)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Joseph S D Yao (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 25)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 27)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 26)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Christine Kronberg (Jan 24)
- Message not available
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 27)