On Tue, Jan 24, 2006 at 10:49:29PM -0500, Cat Okita wrote:
> On Tue, 24 Jan 2006, Marcus J. Ranum wrote:
> >Cat Okita wrote:
> >>... but I'm not thinking of a 'little' bit of logging. I'm thinking of
> >>"look at everything that could -possibly- be of interest".

> >
> >Isn't that what a "firewall" does?? I mean how could you call
> >the thing a "firewall" if it did less than that? That'd be pretty
> >lame, wouldn't it?

>
> Heh. You're right - I should have said "record everything that could
> possibly be of interest" (which is not what I want my firewall to do -
> I'd like it to record things I'm sure I care about)
>
> At any rate, I think of my IDS and my firewall as fufilling different
> albeit complimentary functions. I want the IDS to be an overly sensitive
> touchy-feely creature, while my firewall is in staunch denial, and
> allows only the barest minimum through to its delicate innards[0] - and
> this translates to the amount of logging and capture I expect out of
> each.
>
> >From my IDS, the proverbial volumes of handwritten poorly spelled prose

> and poetry decorated with florid petunias, and from my firewall the single
> typewritten sheet.
>
> cheers!
> [0] I suppose that the degree to which one might use 'delicate innards'
> would vary according to the type of firewall - an application proxy
> like Gaunlet might need to be considered a rumminant...



;-) Trust the Cat to come up with the above. I like it. [Except for
that last extra 'm' in "ruminant", sorry!]

ISTM that not too long ago [by my odd standards of time] a friend of
mine whose initials are something like MJR was ranting that one should
not bother storing log data unless one actually had something one could
do with it. It sounds like this is pretty much what you are advocating
for your firewall.

OTOH, if the loganalysis people are actually able to milk more out of
the firewall logs than a human giving it the hairy eyeball, then the
amount of interest suddenly does become exponentially larger ...

[What, try to pun off the metaphor? Me? Don't have a cow.]


--
Joe Yao
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards