michaelj @
burrito .
insource .
com wrote:
| Log exportation is the weakest feature of FW-1, IMHO. I haven't touched
This is a pet peeve of mine. Security products should not do
their own logging. Security products should be small and single
purpose, and send their logs to a logging tool, such as syslog.
For all syslogs problems, it does offer a single point for
concetrating your logs and sending them off to analysis and alterting
tools. It does offer a way to offload logs from the machine doing the
logging.
Often, I can not use a product if it doesn't log to syslog,
because I set up logging machines to accept syslog, not proprietary
undocumented protocol X. If a security product can't log the way I
I'm willing to accept and trust logs, then I can't do post facto
analysis if the machine running this product is comprimised. So I
don't buy things that don't use syslog. I haven't seen anything thats
worth breaking the rule.
(Actually, I did see a sales pitch for an intrusion detection
system that looked pretty nifty that used a database. The database
was MS access, which worries me for stability and security reasons,
but the idea of going to real database instead of flat files was
appealing. If your product speaks a standard database protocol, that
may be an ok way to log. (For those of you in the development stage,
Sybase is good because TIS has a proxy.)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
References:
|
|
