[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Network performance analysis / sniffing.
Couple of simple ideas to try: 1. Assuming your rule base is "explicit permit", change your "accept" rules to "accounting". Collect a couple day's worth, and then export the log to excel. Then sort it by rule, or port or whatever.. stuff it into an access database and run Crystal against it.. you get the picture. . For ex, I do this periodically to track our email volume so I can size the server volumes and adjust the retention rules (how soon I force deletes from mailboxes on the server..) It's not real time, but it could be helpfull for overall numbers (# of connections and KB transferred) and peak times.. 2. MRTG - uses SNMP.. but if you track the interface for a couple of days it's not the end of everything IMHO. Just be careful. This will give you a graph of total bandwidth of the interface so you can see your 5 min avg load on a daily/weekly/monthly & yearly basis (out of the box. You can mod it to do other things, or use Cricket/RRD tool to monitor real time stats, graph CPU util vs interface load etc...) MRTG is also helpful from a security standpoint - you get to know your normal traffic patterns and can see when something is wrong even when there are no other signs.. such as an increase in outbound traffic or inbound traffic during off hours (overnight). Run MRTG against your switches or routers to help nail down where the traffic is coming from.. I watch my router interfaces all the time. I have one monitor dedicated to a webpage with all of our critical connections on it. 3. Cisco's cflow is avail as a trial product. Installs on unix and if your edge router is of the Cisco persuasion cflow will log traffic by time and type etc. I have not had time to play wtih it myself yet but it's my understanding that it is quite good both from a security perspective as well as billing/accounting. (who sent what to whom and when in some sort of database format...) It could possibly supply all the answers for you but I can't say for sure. Worth a look though I think. 4. Build a Snort/mysql/ACID box and sniff everything going into or out of your firewall interface, log it to ACID and build yoruself a custom rule base which looks at the things you're interested in only - such as traffic to and from your mail server, web server, etc. This won't tell you the packet sizes like the CP accounting will, but will divide your traffic into % of total and is easy to use.. just click on "alert listing" and you'll see all of your selected traffic sorted by type and the % of the total sniffed. Go to the Silicon Defense website for complete instructions on how to build such a machine on Win32. Should take an hour or two for the basics, then you have to write your rule base. (see www.snort.org) When you're done with this project, you can swap out the rule base for the regular IDS one and monitor the inside interface of your firewall to make sure it's doing what you think it's doing.. or monitor the outside interface to see who's knocking. Or both. ;-) That should be a start anyhow.. hth Joe >>> "Jarmoc, Jeff" <[email protected]> 04/10/02 05:03PM >>> I'm hoping someone can help me with something that's only partly firewall related. At times, the external interface of firewalls I'm responsible for will become highly utilized. In going down the path of looking for upgrades, management invariably asks the question, "What sort of traffic is this interface passing?" Obviously, I can tell what traffic is allowed by looking at my firewall rulebase and logs. What's more difficult, is to tell how much of each type of traffic is allowed. For example, I can presume that HTTP and SMTP are two of the major protocols in use on my network. However, I can't reliably state the HTTP accounts for X% of total utilization while SMTP accounts for Y%. And therein lies my question. Does anyone know of a relatively simple way to collect these sorts of statistics? My first thoughts are to possibly i) run a sniffer near my firewall, and analyze it's captured data in order to generate these statistics. My second thought is that maybe the firewall logs already contain most of the information I'm looking for. What sorts of solutions have other people implemented to answer these sorts of questions? Any and all ideas are appreciated greatly. Jeff Jarmoc - CCSA, CCNA, MCSE Network Analyst - Grubb & Ellis [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|