-----Original Message-----
Subject: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
> It's not an argument against logging, it's an argument against logging
everything you could
> ever possibly log. The delta between "I'm sorry we don't keep that data,
it's transient"
> and "let us see what we have that matches that criteria" can be *very*
costly in terms of
> simple people time.
>
> Now put yourself in Yahoo's shoes and ask yourself how much actual
business they'd get done
> if they stored everything they could possibly store. I guarantee you it'd
be less than they
> get done today and it'd take them more people, more storage and the cost
of storage for
> preservation letters alone would be pretty damn impressive.
Logging and storing are two different things. For instance, we don't
maintain backups of raw firewall logs. The logs roll over when they roll
over. But our analysis tool snarfs copies of firewall logs into a database,
creates lots of cool meta-data, and preserves the log data online for 30
days. After that, depending on what happens to it along the way, it ends up
in one of 3 possible 'storage' scenarios, the final destination for one of
which is /dev/null. Given the data source and time frame, I can tell you
whether or not I still have that data and where it's stored pretty much off
the top of my head and certainly faster than any single attorney can throws
subpoenas at me. And this is all with off-the-shelf software.
I guess where I'm going with this is that just because you don't want to
bear the expense of having to search through all of the data that you store
in the event of a subpoena doesn't mean that you don't - or can't afford to
- bear the responsibility to analyze as much data on your network as you
can.
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 01 2006
Intro
