This is a discussion on Re: [fw-wiz] RE: IDS (was: FW appliance comparison) - Firewalls ; On 1/25/06, Paul D. Robertson wrote: > On Wed, 25 Jan 2006, Marcus J. Ranum wrote: > > > Paul D. Robertson wrote: > > >No, there's another reason not to collect it; Everything you collect > > >under almost ...
On 1/25/06, Paul D. Robertson
> On Wed, 25 Jan 2006, Marcus J. Ranum wrote:
> > Paul D. Robertson wrote:
> > >No, there's another reason not to collect it; Everything you collect
> > >under almost all evnironments is ultimately legally discoverable.
> > That's the dumbest argument against logging I've ever heard.
> It's not an argument against logging, it's an argument against logging
> everything you could ever possibly log. The delta between "I'm sorry we
> don't keep that data, it's transient" and "let us see what we have that
> matches that criteria" can be *very* costly in terms of simple people
> If you don't believe that, look at service provider lawsuits in the last
> 5-10 years, and look at how companies like Yahoo are getting away with
> being able to *charge* for civil subpoena compliance. Think they make a
> profit on that?
Where I work, I'm not sure how we could do it. We're a transactions
company, and do thousands and thousands (and more at times) a second.
Debugging from ONE of our firewalls puts us int he gigabyte-per-hour
realm. I tried turning up a syslogging system here once... it died
three hours later. Maybe I wasn't using the greatest hardware,
database and reporting software - but where do you find that sort of
thing? With that much data, and 98% of it being useless, you kind have
to ask yourself, "what's the point?" IF we catch something it'll
probably still be too late - our IDS will have already been updated
with the new "something". I don't want to have to go to my manager and
say, "well, we spent 250k on a machine that would log every
transaction - no, sorry, PACKET - we ever passed and we still got
hacked because we didn't hire a new engineer to review the data
streaming out of the system and therefore see the new exploit in time
to shut it down. But, on the bright side, our 2k IDS system did
eventually begin blocking it from all but one customer site."
firewall-wizards mailing list