Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: RE: IDS (was: FW appliance comparison)
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 25 Jan 2006 16:39:46 -0500

-----Original Message-----
Subject: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)

It's not an argument against logging, it's an argument against logging
everything you could 
ever possibly log.  The delta between "I'm sorry we don't keep that data,
it's transient" 
and "let us see what we have that matches that criteria" can be *very*
costly in terms of 
simple people time. 

Now put yourself in Yahoo's shoes and ask yourself how much actual
business they'd get done 
if they stored everything they could possibly store.  I guarantee you it'd
be less than they 
get done today and it'd take them more people, more storage and the cost
of storage for 
preservation letters alone would be pretty damn impressive.

Logging and storing are two different things.  For instance, we don't
maintain backups of raw firewall logs.  The logs roll over when they roll
over.  But our analysis tool snarfs copies of firewall logs into a database,
creates lots of cool meta-data, and preserves the log data online for 30
days.  After that, depending on what happens to it along the way, it ends up
in one of 3 possible 'storage' scenarios, the final destination for one of
which is /dev/null.  Given the data source and time frame, I can tell you
whether or not I still have that data and where it's stored pretty much off
the top of my head and certainly faster than any single attorney can throws
subpoenas at me.  And this is all with off-the-shelf software.  

I guess where I'm going with this is that just because you don't want to
bear the expense of having to search through all of the data that you store
in the event of a subpoena doesn't mean that you don't - or can't afford to
- bear the responsibility to analyze as much data on your network as you


firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]