Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Firewall Wizards: Re: NetScreen Logging with NSRP

Re: NetScreen Logging with NSRP

From: Avishai Wool <yash_at_acm.org>
Date: Wed, 26 Mar 2008 22:58:41 +0200

Kerry,

one thing you could consider is an "offline audit" using something
like the AlgoSec Firewall Analyzer (www.algosec.com) . it works off
the policy files so it doesn't require any loggiing - although if logs are
turned on then that info is used as well. You can do a _lot_ of cleanup,
and also a lot of security tightening, based on static analysis that doesn't
rely on usage data.

also - I'm not sure what firewall brand you have, but if it's a Cisco then
you can get all the usage information, at least since the last reboot,
from the output of "show access-list" from the "hitcnt" field - and this
works even if logging is completely off.

as to your idea of putting logging on the backup: I don't see how that will help
much. you'll only get logs from the few packets that the backup sees, no?
so unless you force a failover you won't see much logs, and if you do force
the failover I assume the backup CPU will spike to at least 80% too...

HTH,
  Avishai

Disclaimer: I created what is now the AlgoSec Firewall Analyzer, starting from
work in Bell Labs in the late 1990's, so I am biased...

On 3/26/08, Kerry Milestone <km4_at_sanger.ac.uk> wrote:
> Hello,
>
> I am looking at doing an audit of the policies installed on a HA
> passive/active firewall setup with NSRP. The primary is running at
> about 80% CPU or so, the backup is about 5%. As such, I am a bit
> hesitant (to say the least) about putting policy logging on as it may
> kill the firewall.
>
> Is it possible somehow to have logging on just the redundant firewall?
> My other, perhaps long way of doing this is to convert the current
> policies and, say, parse into snort rules and observe through a port tap
> - the number of 'positive' hits on the IDS.
>
> Does anyone have any other suggestions as to how to achieve what I want
> to do?
>
> Many thanks,
> Kerry Milestone
>
>
> --
> Kerry Milestone
>
> Senior Systems Engineer - Network Project Team
> The Wellcome Trust Sanger Institute
> Wellcome Trust Genome Campus Email: km4_at_sanger.ac.uk
> Hinxton, Cambridge CB10 1SD Phone: (+44) 1223 492320
> United Kingdom
>
>
>
>
> --
> The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose registered
> office is 215 Euston Road, London, NW1 2BE.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> 

-- 
Avishai Wool, Ph.D.,  Co-founder and Chief Technical Officer
               http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Mar 26 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]