Logging and Security

What is the best and cheapest way to view network traffic traversing an ASA firewall?
I'm trying to understand the difference between Syslog and TCP Dump?

For instance.. one of the top sites in the ASDM happens to be a multimedia streaming site.. I would like to know what IP is connected to that site so i could bust em but it happens in the off hours and I only know how to view the real-time traffic in the ASDM.  

Can someone please take me thru a best practices configuration step by step?  Is there a free syslog server i could use?

LVL 1
georgehayes3Asked:
Who is Participating?
 
giltjrConnect With a Mentor Commented:
TCPDUMP is used to view the actual network traffic (packets) that flow over the network.  They break down the headers from the various protocols (Ethernet, ATM, Framerelay, IP, TCP, NetBIOS, NETBUEI, HTTP, and so on).

SYSLOG is generally where applications may log events.  In the Windows world you can relate SYSLOG to the Event logs.

I believe that Kiwi (http://www.kiwisyslog.com) has a free version for non-commercial non-production use.

In your case, syslog is what you want.  TCPDUMP would provide you with way too much information.

However, what is your companies policy on Internet usage?  If what they are doing is against the policy, I have found it best to just setup a rule to block traffic to that IP address or range of IP addresses.  If what they are doing is allowed, then I would suggest getting permission from management to setup rules that will limit the amount of bandwidth non-business traffic can use.  I takes a bit of monitoring to see what ip addresses people are going to and how much bandwidth they use.    We have a Cisco CAT6500 and I have enabled NetFlow and I use NTOP to capture the NetFlow data and do basic reporting.  When are experiencing slowness on the Internet, I look in NTOP to see what is using it.  If it is non-business related, I add the IP address(es)  to an network object in PIX that is policed to limit bandwidth.

If you really want to catch the person, then you would need to setup an ACE that logs all access to the IP address(es) of the streaming media servers.  You want to target the servers, just in case there is more that one employee accessing the sites.  If there are 10 employees hitting this site and you only target one, you could be in trouble.
0
 
georgehayes3Author Commented:
Thank You.  I would love to use netflow but the ASA doesnt support it from what i understand
0
All Courses

From novice to tech pro — start learning today.