Re: Does anyone on the list have experience with firewall log analyzers to monitor firewall...

Subject:  Does anyone on the list have experience with  firewall log
analyzers to monitor firewall bandwidth and service utilization.

-----------------------------------------------

Date: Thu, 19 Apr 2007 05:18:20 -0500
From: "Tim Eberhard" <xmin0s@...>
Subject: Re: [nn] Does anyone on the list have experience with these
        firewall log analyzer programs?
To: "Jacob, Raymond A Jr" <raymond.jacob@...>
Cc: nn@...
Message-ID:
        <2c52b84e0704190318h46037839udd1d8f39fa01e868@...>
Content-Type: text/plain; charset="iso-8859-1"

What are you looking to solve? What kind of information are you looking
to
gather?
>>I need to know how much traffic each service uses.
>>I need to know what hosts use a particular service.
>>I need to know how much traffic hosts use for a service.
>>i.e. for http: host-a tx/rx 100MB/day while host-b tx/rx 5MB/day.
>> I would like that information in a bar graph.
>>I need to know what hosts and ports were denied access by the
firewall.
>>I need to know the a graph of traffic over a period of days,weeks,
months
>>for all traffic, for hosts, and for services.
>>I need to know how much traffic(bandwidth), services(ports), and hosts
>>are used per VPN.
>>I need to know what web sites are accessed.
>>I need to know what dns queries were made by the users.

>>Thank you,
>>raymond
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

I think what you're looking to do here will require a few programs.

1) A logging analyzer (for the completed connections)
 There are a few free ones, I would suggest giving them a shot. I personally haven't used any of them.

2) A traffic snmp monitor
 Personally I use Cacti for this, however there are many various snmp monitors. This will only give you a general view of traffic on each interface, not on a per policy hit.

3) Perhaps a real time session analyzer (during attacks, high traffic, etc.)
I wrote a program called NSSA (Netscreen Session Analyzer) This basically reports on a live session table that you download by hand and gives you such information as connections/ports/source/dest/ etc.. This is public and free.


On the other side, it would be a lot easier to use a Network General Sniffer type application. These do everything you request (short of policy denies/allows on the firewall) at a network level.

This is a general overview of the options I think are viable. If you have any questions or want to talk about them in depth feel free to ask :)

Tim Eberhard



_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn