Re: [nn] Does anyone on the list have experience with firewall log analy

To:	"Jacob, Raymond A Jr" <raymond.jacob@navy.mil>
Subject:	Re: [nn] Does anyone on the list have experience with firewall log analyzers to monitor firewall...
From:	"Tim Eberhard" <xmin0s@gmail.com>
Date:	Thu, 19 Apr 2007 14:25:53 -0500
Cc:	nn@qorbit.net
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ehQkoM49lUuqjhmDk2GG3hoAPIwdZimQlWdrAY2uCmnq7XTcHNjbTJv4NwpWE3rAOEy+cmY4uFYqNxJ+tt9nTFsC/nURZVtDFsDhV08t7H/6tmCpCeBvmK8diY4/4vp1UsjbzsgXFO+R9PWhM3+LPfGEtMld2U8KrFXnQX1Rrvs=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=qhOa40fG2lw3W6g8rye/skee9nS11xqF+HehpPnUeUEbqlESqWLuX9yJ94HDKYb7BPPrAMxxMgq+QhsQ+UxVemW4SqOwdTEWKLvPlrTryX3cW52/ZlLE/RlHsB2dJCA+zRQMyZ/l5j1xzXn+2dJcS5we/+qQMP5NDVdgNAlXSo4=
In-reply-to:	<D95A0509A7959748B5A5016CF67E00320680FCCF@NAEACHRLEX01VA.nadsusea.nads.navy.mil>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
References:	<mailman.51.1177000538.239.nn@qorbit.net> <D95A0509A7959748B5A5016CF67E00320680FCCF@NAEACHRLEX01VA.nadsusea.nads.navy.mil>
Sender:	nn-bounces@qorbit.net

I think what you're looking to do here will require a few programs.

1) A logging analyzer (for the completed connections)
There are a few free ones, I would suggest giving them a shot. I personally haven't used any of them.

2) A traffic snmp monitor
Personally I use Cacti for this, however there are many various snmp monitors. This will only give you a general view of traffic on each interface, not on a per policy hit.

3) Perhaps a real time session analyzer (during attacks, high traffic, etc.)
I wrote a program called NSSA (Netscreen Session Analyzer) This basically reports on a live session table that you download by hand and gives you such information as connections/ports/source/dest/ etc.. This is public and free.

On the other side, it would be a lot easier to use a Network General Sniffer type application. These do everything you request (short of policy denies/allows on the firewall) at a network level.

This is a general overview of the options I think are viable. If you have any questions or want to talk about them in depth feel free to ask :)

Tim Eberhard

On 4/19/07, Jacob, Raymond A Jr <raymond.jacob@navy.mil> wrote:

Subject:  Does anyone on the list have experience with  firewall log
analyzers to monitor firewall bandwidth and service utilization.

-----------------------------------------------

Date: Thu, 19 Apr 2007 05:18:20 -0500
From: "Tim Eberhard" <xmin0s@gmail.com>
Subject: Re: [nn] Does anyone on the list have experience with these
        firewall log analyzer programs?
To: "Jacob, Raymond A Jr" < raymond.jacob@navy.mil>
Cc: nn@qorbit.net
Message-ID:
        <2c52b84e0704190318h46037839udd1d8f39fa01e868@mail.gmail.com"> 2c52b84e0704190318h46037839udd1d8f39fa01e868@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

What are you looking to solve? What kind of information are you looking
to
gather?
>>I need to know how much traffic each service uses.
>>I need to know what hosts use a particular service.
>>I need to know how much traffic hosts use for a service.
>>i.e. for http: host-a tx/rx 100MB/day while host-b tx/rx 5MB/day.
>>      I would like that information in a bar graph.
>>I need to know what hosts and ports were denied access by the
firewall.
>>I need to know the a graph of traffic over a period of days,weeks,
months
>>for all traffic, for hosts, and for services.
>>I need to know how much traffic(bandwidth), services(ports), and hosts
>>are used per VPN.
>>I need to know what web sites are accessed.
>>I need to know what dns queries were made by the users.

>>Thank you,
>>raymond
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [nn] Does anyone on the list have experience with firewall log analyzers to monitor firewall..., Jacob, Raymond A Jr Re: [nn] Does anyone on the list have experience with firewall log analyzers to monitor firewall..., Tim Eberhard <=

Previous by Date:	Re: [nn] Does anyone on the list have experience with firewall log analyzers to monitor firewall..., Jacob, Raymond A Jr
Previous by Thread:	Re: [nn] Does anyone on the list have experience with firewall log analyzers to monitor firewall..., Jacob, Raymond A Jr
Indexes:	[Date] [Thread] [Top] [All Lists]