Re: Transparent Internet Bandwidth / Usage monitoring

On Sat, 26 Apr 2008 21:00:19 -0700, Sam wrote:

I had come across iptables, which seems to do what I want. Most of the
sites that mention it, however, cite it as a way to monitor personal
bandwidth, not organizational wide bandwidth. While clearly it would
work for that purpose, my concern is routing and security. Any thoughts
on those topics?

This article shows how to set up counters on a host/subnet basis:
http://www.linux.com/articles/50649

1. Adding an iptables enabled bridge/router between your current firewall
and WAN will surely not pose additional security risks to your LAN. This
setup however is not able to separate traffic on a subnet/host basis, (in
your LAN).

2. Adding an iptables enabled bridge/router between your current firewall
and LAN subnets/hosts does not pose additional security risks to your
LAN, unless you make it reachable from the WAN side of the firewall.

3. I can't see why adding custom chains for differential monitoring to an
existing iptables enabled firewall would have security implications.
Heck; iptables is the Linux firewall, and has been, almost since
dinosaurs walked the earth.

Reading counters from the bridge/firewall might disclose sensitive
information about your LAN and traffic patterns, but there's nothing to
suggest that a cracker can read those counters, without owning the bridge/
firewall/router in the first place.


--
Regards/mvh Joachim Mæland

If everything seems under control, you're just not going fast enough.
-Mario Andretti
.

Relevant Pages

  • Re: Transparent Internet Bandwidth / Usage monitoring
    ... bandwidth, not organizational wide bandwidth. ... Adding an iptables enabled bridge/router between your current firewall ... and WAN will surely not pose additional security risks to your LAN. ...
    (comp.os.linux.networking)
  • Re: How save is a Windows PC on a Linux network.
    ... firewall between the dialup and the internal lan. ... Being of sound mind and body, I never surf with the Windows machine and ... Assuming you trust your firewall, and you know what's running on the ... I have to have it on the lan to access the Linux servers but sometimes it ...
    (comp.os.linux.misc)
  • Re: OWA
    ... 'Thats good news at least about the firewall. ... Tried them both earlier and same error message - 403. ... get ths same error message in and outside of the LAN? ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)
  • Re: [SLE] Firewall zones
    ... Looking at the firewall configuration in Yast, ... My network card is assigned its IP address by the router using DHCP. ... It connects to the LAN and to the router; the router in turn talks to the ... All the systems on the LAN are supposed to have the same firewall protection, ...
    (SuSE)