Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 log Auditing

To: [email protected], [email protected]
Subject: RE: [FW1] FW-1 log Auditing
From: [email protected]
Date: Wed, 28 Mar 2001 00:07:53 -0500
Sender: [email protected]

Hi Ivan,
	One method we have used is to import a comma delimited text export
of the firewall log into an Access database.  This way, you can easily write
queries to quickly identify major problems by sorting by source address (to
identify large attacks or problem networks), destination port (to see what
services are being attacked on your network), etc.  The possibilities are
endless; its proven to be quite flexible.
	When you refer to IDS's for FW-1, are you talking about products
that run on top of FW-1?  If so, I believe ISS makes a version of RealSecure
which will do just that.  I wouldn't recommend it simply on an architecture
viewpoint (better to separate the two services), I have no experience with
the product itself.  If that's not a requirement, check out Snort
(http://www.snort.org/).  It performed nicely in our test environment _on
Linux_.  Lot's of problems with Win2k and WinCap on high-volume networks.
Lock-ups, GPF's, etc.  If you're going to seriously look at Snort, test it
on a Unix box.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
VoiceE-mail  [email protected]
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: Ivan More [mailto:[email protected]]
> Sent: Tuesday, March 27, 2001 10:39 PM
> To: [email protected]
> Subject: [FW1] FW-1 log Auditing
> 
> 
> 
> Hi,
> 
> I have a few questions regarding Firewall:
> 
> 1. I am wondering how you Firewall Security
> Administrator deals with the Firewall log everyday? Do
> you have any software to recommend to audit FW-1(ver
> 4.0) logs? Hope you could share your audit method. 
> 
> 2. Could you also recommend a good IDS to use with
> FW-1? 
> 
> 
> Thanks in advance for your suggestions,
> Ivan More
> 
> _______________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.ca address at http://mail.yahoo.ca
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] FW-1 log Auditing
Next by Date: Re: [FW1] Syncronyzing 2 FW-1 firewals
Previous by thread: [FW1] FW-1 log Auditing
Next by thread: RE: [FW1] FW-1 log Auditing
Index(es):
- Date
- Thread