Paul, Is there a blueprint filed on the subject of logging? This really doesn't have anything to do with DVR. The current solution has no logging either.
Carl On Thu, Jun 26, 2014 at 5:41 AM, CARVER, PAUL <pc2...@att.com> wrote: > > > > > > > -------- Original message -------- > From: Yi Sun <beyo...@gmail.com> > Date: > To: openstack-dev@lists.openstack.org > Subject: Re: [openstack-dev] [Neutron] DVR SNAT shortcut > > > > > Yi wrote: > +1, I had another email to discuss about FW (FWaaS) and DVR integration. > Traditionally, we run firewall with router so that firewall can use route > and NAT info from router. since DVR is asymmetric when handling traffic, it > is hard to run stateful firewall on top of DVR just like a traditional > firewall does . When the NAT is in the picture, the situation can be even > worse. > Yi > > > > Don't forget logging either. In any security concious environment , > particularly any place with legal/regulatory/contractual audit requirements > a firewall that doesn't keep full logs of all dropped and passed sessions is > worthless. > > Stateless packet dropping doesn't help at all when conducting forensics on > an attack that is already known to have occured. > > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
