Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NetScreen Logging with NSRP

From: "Avishai Wool" <yash () acm org>
Date: Wed, 26 Mar 2008 22:58:41 +0200
Kerry,

one thing you could consider is an "offline audit" using something
like the AlgoSec Firewall Analyzer (www.algosec.com) . it works off
the policy files so it doesn't require any loggiing - although if logs are
turned on then that info is used as well. You can do a _lot_ of cleanup,
and also a lot of security tightening, based on static analysis that doesn't
rely on usage data.

also - I'm not sure what firewall brand you have, but if it's a Cisco then
you can get all the usage information, at least since the last reboot,
from the output of "show access-list" from the "hitcnt" field - and this
works even if logging is completely off.

as to your idea of putting logging on the backup: I don't see how that will help
much. you'll only get logs from the few packets that the backup sees, no?
so unless you force a failover you won't see much logs, and if you do force
the failover I assume the backup CPU will spike to at least 80% too...

HTH,
  Avishai

Disclaimer: I created what is now the AlgoSec Firewall Analyzer, starting from
work in Bell Labs in the late 1990's, so I am biased...


On 3/26/08, Kerry Milestone <km4 () sanger ac uk> wrote:

Hello,

I am looking at doing an audit of the policies installed on a HA
passive/active firewall setup with NSRP.  The primary is running at
about 80% CPU or so, the backup is about 5%.  As such, I am a bit
hesitant (to say the least) about putting policy logging on as it may
kill the firewall.

Is it possible somehow to have logging on just the redundant firewall?
My other, perhaps long way of doing this is to convert the current
policies and, say, parse into snort rules and observe through a port tap
- the number of 'positive' hits on the IDS.

Does anyone have any other suggestions as to how to achieve what I want
to do?

Many thanks,
Kerry Milestone


--
Kerry Milestone

Senior Systems Engineer - Network Project Team
The Wellcome Trust Sanger Institute
Wellcome Trust Genome Campus                 Email: km4 () sanger ac uk
Hinxton, Cambridge CB10 1SD                  Phone: (+44) 1223 492320
United Kingdom




--
 The Wellcome Trust Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




-- 
Avishai Wool, Ph.D.,  Co-founder and Chief Technical Officer
               http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: