Firewall Wizards mailing list archives
Re: NetScreen Logging with NSRP
From: "Avishai Wool" <yash () acm org>
Date: Wed, 26 Mar 2008 22:58:41 +0200
Kerry, one thing you could consider is an "offline audit" using something like the AlgoSec Firewall Analyzer (www.algosec.com) . it works off the policy files so it doesn't require any loggiing - although if logs are turned on then that info is used as well. You can do a _lot_ of cleanup, and also a lot of security tightening, based on static analysis that doesn't rely on usage data. also - I'm not sure what firewall brand you have, but if it's a Cisco then you can get all the usage information, at least since the last reboot, from the output of "show access-list" from the "hitcnt" field - and this works even if logging is completely off. as to your idea of putting logging on the backup: I don't see how that will help much. you'll only get logs from the few packets that the backup sees, no? so unless you force a failover you won't see much logs, and if you do force the failover I assume the backup CPU will spike to at least 80% too... HTH, Avishai Disclaimer: I created what is now the AlgoSec Firewall Analyzer, starting from work in Bell Labs in the late 1990's, so I am biased... On 3/26/08, Kerry Milestone <km4 () sanger ac uk> wrote:
Hello, I am looking at doing an audit of the policies installed on a HA passive/active firewall setup with NSRP. The primary is running at about 80% CPU or so, the backup is about 5%. As such, I am a bit hesitant (to say the least) about putting policy logging on as it may kill the firewall. Is it possible somehow to have logging on just the redundant firewall? My other, perhaps long way of doing this is to convert the current policies and, say, parse into snort rules and observe through a port tap - the number of 'positive' hits on the IDS. Does anyone have any other suggestions as to how to achieve what I want to do? Many thanks, Kerry Milestone -- Kerry Milestone Senior Systems Engineer - Network Project Team The Wellcome Trust Sanger Institute Wellcome Trust Genome Campus Email: km4 () sanger ac uk Hinxton, Cambridge CB10 1SD Phone: (+44) 1223 492320 United Kingdom -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- Avishai Wool, Ph.D., Co-founder and Chief Technical Officer http://www.algosec.com ******* Firewall Management Made Smarter ****** _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NetScreen Logging with NSRP Kerry Milestone (Mar 26)
- Re: NetScreen Logging with NSRP Avishai Wool (Mar 26)
- Message not available
- Re: NetScreen Logging with NSRP Kerry Milestone (Mar 28)
- <Possible follow-ups>
- Re: NetScreen Logging with NSRP Peter Bruderer (Mar 26)