To answer two questions about NSC's packet logging:
- We use a trivial UDP packet format, with the router name and the
name of the filter which caused the copy_to action, each padded out to 32
bytes with nulls, followed by the IP packet itself, truncated to 2048 bytes
max. Link layer stuff is stripped off. Each instance of a copy_to action
(and there can be multiple instances in multiple filters, any of which may
or may not apply to a given packet) can specify a host and a port number to
send the copy to. Multiple copy_to actions can be applied to a given packet,
resulting in multiple UDP packets. It's spiritually like syslog, but the
packet format is different. There is no support for throttling, besides
resource exhaustion in the box. It won't roll over and die if you make it do
lots of copy_to's, it'll just slow down and start dropping things, just like
an IP router should.
- Performance is, of course, sticky. On our DX platforms, it's hard
for me to make a guess at performance. On our (cheaper) 6600 series, a
glance over the code suggests that you ought to be able to handle 'a few
thousand' packets/sec if you're applying a copy_to to every one. This is a
wild guess, based on 15 minutes of peering at code and going 'Umm, hmm. Uh.
Ok.' and so on, so it's worth exactly what you paid for it. Flat out, a 6600
does 14K pps, and you're not gonna get that if you're logging. On the other
hand, as far as I can see, it shouldn't drop to 40 pps or something
embarassing like that.
However, more important that just 'can you log?' is the question
'what do you want to do with logs?' It's all very well to cobble together
some perl scripts to send you mail when some goob tries to telnet to your
file server, but that's pretty ad hoc, besides being a recipe for getting a
whole lot of mail. What you really want to do is figure out what your
security policy is, and whether or not logging is necessary for enforcing
the policy, and if so, what role it should play. How does logging fit in
with your risk analysis? Does it reduce risk in some fashion? If it doesn't
reduce your risks, what does it do for you?
Andrew
|
|
