Firewall Wizards mailing list archives
Re: RE: IDS (was: FW appliance comparison)
From: Joseph S D Yao <jsdy () center osis gov>
Date: Wed, 25 Jan 2006 11:24:04 -0500
On Tue, Jan 24, 2006 at 10:49:29PM -0500, Cat Okita wrote:
On Tue, 24 Jan 2006, Marcus J. Ranum wrote:Cat Okita wrote:... but I'm not thinking of a 'little' bit of logging. I'm thinking of "look at everything that could -possibly- be of interest".Isn't that what a "firewall" does?? I mean how could you call the thing a "firewall" if it did less than that? That'd be pretty lame, wouldn't it?Heh. You're right - I should have said "record everything that could possibly be of interest" (which is not what I want my firewall to do - I'd like it to record things I'm sure I care about) At any rate, I think of my IDS and my firewall as fufilling different albeit complimentary functions. I want the IDS to be an overly sensitive touchy-feely creature, while my firewall is in staunch denial, and allows only the barest minimum through to its delicate innards[0] - and this translates to the amount of logging and capture I expect out of each.From my IDS, the proverbial volumes of handwritten poorly spelled proseand poetry decorated with florid petunias, and from my firewall the single typewritten sheet. cheers! [0] I suppose that the degree to which one might use 'delicate innards' would vary according to the type of firewall - an application proxy like Gaunlet might need to be considered a rumminant...
;-) Trust the Cat to come up with the above. I like it. [Except for that last extra 'm' in "ruminant", sorry!] ISTM that not too long ago [by my odd standards of time] a friend of mine whose initials are something like MJR was ranting that one should not bother storing log data unless one actually had something one could do with it. It sounds like this is pretty much what you are advocating for your firewall. OTOH, if the loganalysis people are actually able to milk more out of the firewall logs than a human giving it the hairy eyeball, then the amount of interest suddenly does become exponentially larger ... [What, try to pun off the metaphor? Me? Don't have a cow.] -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IDS (was: FW appliance comparison), (continued)
- RE: IDS (was: FW appliance comparison) Ben Nagy (Jan 24)
- Re: RE: IDS Chuck Swiger (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Patrick M. Hausen (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) ArkanoiD (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Joseph S D Yao (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 25)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 27)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 26)