Chris, It's not bashing; it's improving. Don't be bashful. I agree with your request. The push back from the other side of the table is packets per second (performance amongst other issues). It also gets real ugly looking at header fields in all the packets of a particular connection. What the PIX team did was implement a capture command. The target was to make it very TCPDump like. You can grab packets in Pcap format (eating device memory) and throw them out at a TFTP server for off box analysis. Off box we can use Ethereal (and other tools) to knit the connections back together and look at all the header info. Works well. Liberty for All, Brian At 05:17 AM 10/23/2003 -0400, Chris Brenton wrote: >On Wed, 2003-10-22 at 23:29, Jason Haar wrote: > > > > This feature isn't as great as it seems. To be honest, the PIX still has a > > ways to go before its ACL support is as good as IOS. > >Hey while we are bashing on commercial firewalls anyway ;-p, let me toss >in that the level of detail recorded by PIX, FW-1, Netscreen, and many >others, leaves much to be desired. Some wish list items I would love to >see recorded by all packet filters: > >Type of server & precedence field (if set) >IP and TCP options (if any are set) >TTL >IP ID >TCP MSS & Window size >Payload contents of ICMP type 3's, 4's, 5's & 11's > >I teach track 2 for SANS and one of the exercises we go through is >looking at a packet as it gets logged through a commercial and a GPL >firewall. Based on the commercial firewall we are led to believe that >someone may be probing our perimeter (i.e. the source IP is malicious). >Because the GPL firewall records more detail, we get to see that the >packet is actually fallout from someone spoofing our address (i.e. >someone might think we are malicious). The point of the exercise is that >the devil is in the details. Without enough information you can't make a >good judgment call about what to worry about and what can be dismissed. > >I'm not saying *all* commercial firewalls have this problem, just the >primaries that most people are using. Being able to do passive >fingerprinting is a nice bonus as well. > >Just my $.02, >C > > > > > >_______________________________________________ >LogAnalysis mailing list >LogAnalysis@private >http://lists.shmoo.com/mailman/listinfo/loganalysis Brian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/ The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 19:54:09 PDT