RE: PIX Logging Analysis

["Paul Stewart" <pauls () nexicom net>]

Thanks very much.. I'd love to see a copy of your configs as I'm having
problems with 6.2 and DSL right now.  I highly agree that even with lots of
automation that a human is needed hence why we'll charge a good fee
monthly..:)  And, thanks for the link to ipaudit.. Sounds like what we're
looking for..

Take care,

---
Paul Stewart
Network Solutions Specialist
Nexicom Inc.
http://www.nexicom.net/
(705)932-4127 Office
(705)932-2329 Fax 

-----Original Message-----
From: Dave Rinker [mailto:firewall () dsrtech com] 
Sent: Wednesday, March 05, 2003 2:16 PM
To: firewall-wizards () honor icsalabs com
Cc: pauls () nexicom net
Subject: Re: [fw-wiz] PIX Logging Analysis



you need people to look at the logs  :)

I use ipaudit-web  http://ipaudit.sourceforge.net/ipaudit-web/
for looking at realtime traffic, snort for IDS behind the FW
http://www.snort.org/ , modular syslog to log to a mySQL server
http://sourceforge.net/projects/msyslog/ in addition to flatfile syslog on
the server.

The ipaudit is excellent, I just caught a virus flooding UDP port 137
outbound and squashed it. (unfortunately I can't lock the host up to prevent
the user from shutting off virus protection at the moment)

Snort is good but you will get alot of false alarms that if given to your
customer will cause panic. Which might be a good thing but be sure to get
paid by the hour not the job, so when they call you can charge them. :)

msyslog has worked really well to examine the logs through a php web
interface. this will enable you or your customer to see if ports are blocked
by source or destination and make the appropriate changes.

the flatfile syslog is good just for your own records. I rotate mine daily
and gzip them to save on space, later zcat to view them.

you can give them all sorts of fancy interfaces but you will still have to
have someone sort through the data. Unless I'm wrong which I hope I am and
someone on this list gives me/us an alternative.  :)

btw, if you need the dsl config for the pix, post to the list and I'll cut
and paste mine. both dynamic and static configs. cisco is also coming out
with a NAT/PAT IPSec pass through in the next version (6.3). I'm trying to
get the beta now from my rep. to test it.

best of luck to you.




On Tue, 2003-03-04 at 20:17, Paul Stewart wrote:
> HI everyone..
>
> I'm new to the list and apologize if I'm asking a dumb question..:)
>
> We are looking at deploying Cisco PIX 501's for some smaller customers 
> connected via DSL.  Their requests vary from wanting basic information 
> on what we are protecting them from using a PIX right up to one 
> customer who would like real-time or even within a few hours a listing 
> of what all their employees are doing on the Internet.
>
> Hopefully someone will tell me that open source solutions exist for 
> Linux.. At least I can hope... At the moment I am syslogging 
> everything back via UDP but what exists to analyize this data?
>
> What is everyone using for this purpose?  We may find that we will 
> offer them a managed firewall solution and they receive daily email 
> notices on what we have done for them?  I'm not sure of the best 
> solution and am open to ideas...:)
>
> Thanks,
>
> Paul Stewart
>
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards