Couple of simple ideas to try:
1. Assuming your rule base is "explicit permit", change your "accept" rules to
"accounting".
Collect a couple day's worth, and then export the log to excel. Then sort it by rule,
or port or whatever.. stuff
it into an access database and run Crystal against it.. you get the picture. .
For ex, I do this periodically to track our email volume so I can size the server
volumes and adjust the
retention rules (how soon I force deletes from mailboxes on the server..) It's not
real time, but it could be helpfull for overall
numbers (# of connections and KB transferred) and peak times..
2. MRTG - uses SNMP.. but if you track the interface for a couple of days it's not the
end of
everything IMHO. Just be careful. This will give you a graph of total bandwidth of the
interface
so you can see your 5 min avg load on a daily/weekly/monthly & yearly basis (out of
the box. You
can mod it to do other things, or use Cricket/RRD tool to monitor real time stats,
graph CPU util vs interface load
etc...) MRTG is also helpful from a security standpoint - you get to know your normal
traffic patterns and can see
when something is wrong even when there are no other signs.. such as an increase in
outbound
traffic or inbound traffic during off hours (overnight). Run MRTG against your
switches or routers
to help nail down where the traffic is coming from.. I watch my router interfaces all
the time. I have one
monitor dedicated to a webpage with all of our critical connections on it.
3. Cisco's cflow is avail as a trial product. Installs on unix and if your edge router
is of the Cisco
persuasion cflow will log traffic by time and type etc. I have not had time to play
wtih it myself yet
but it's my understanding that it is quite good both from a security perspective as
well as billing/accounting.
(who sent what to whom and when in some sort of database format...) It could possibly
supply all the answers
for you but I can't say for sure. Worth a look though I think.
4. Build a Snort/mysql/ACID box and sniff everything going into or out of your
firewall interface, log it to ACID and
build yoruself a custom rule base which looks at the things you're interested in only
- such as traffic to
and from your mail server, web server, etc. This won't tell you the packet sizes like
the CP accounting
will, but will divide your traffic into % of total and is easy to use.. just click on
"alert listing" and you'll see all of
your selected traffic sorted by type and the % of the total sniffed. Go to the Silicon
Defense website for complete
instructions on how to build such a machine on Win32. Should take an hour or two for
the basics, then you have
to write your rule base. (see www.snort.org) When you're done with this project, you
can swap out the rule base
for the regular IDS one and monitor the inside interface of your firewall to make sure
it's doing what you think it's doing..
or monitor the outside interface to see who's knocking. Or both. ;-)
That should be a start anyhow..
hth
Joe
>>> "Jarmoc, Jeff" <[EMAIL PROTECTED]> 04/10/02 05:03PM >>>
I'm hoping someone can help me with something that's only partly
firewall related. At times, the external interface of firewalls I'm
responsible for will become highly utilized. In going down the path of
looking for upgrades, management invariably asks the question, "What sort of
traffic is this interface passing?" Obviously, I can tell what traffic is
allowed by looking at my firewall rulebase and logs. What's more difficult,
is to tell how much of each type of traffic is allowed.
For example, I can presume that HTTP and SMTP are two of the major
protocols in use on my network. However, I can't reliably state the HTTP
accounts for X% of total utilization while SMTP accounts for Y%. And
therein lies my question. Does anyone know of a relatively simple way to
collect these sorts of statistics? My first thoughts are to possibly i) run
a sniffer near my firewall, and analyze it's captured data in order to
generate these statistics. My second thought is that maybe the firewall
logs already contain most of the information I'm looking for. What sorts of
solutions have other people implemented to answer these sorts of questions?
Any and all ideas are appreciated greatly.
Jeff Jarmoc - CCSA, CCNA, MCSE
Network Analyst - Grubb & Ellis
[EMAIL PROTECTED]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
