Paul, Is there a blueprint filed on the subject of logging? This really doesn't have anything to do with DVR. The current solution has no logging either.
Carl On Thu, Jun 26, 2014 at 5:41 AM, CARVER, PAUL <[email protected]> wrote: > > > > > > > -------- Original message -------- > From: Yi Sun <[email protected]> > Date: > To: [email protected] > Subject: Re: [openstack-dev] [Neutron] DVR SNAT shortcut > > > > > Yi wrote: > +1, I had another email to discuss about FW (FWaaS) and DVR integration. > Traditionally, we run firewall with router so that firewall can use route > and NAT info from router. since DVR is asymmetric when handling traffic, it > is hard to run stateful firewall on top of DVR just like a traditional > firewall does . When the NAT is in the picture, the situation can be even > worse. > Yi > > > > Don't forget logging either. In any security concious environment , > particularly any place with legal/regulatory/contractual audit requirements > a firewall that doesn't keep full logs of all dropped and passed sessions is > worthless. > > Stateless packet dropping doesn't help at all when conducting forensics on > an attack that is already known to have occured. > > > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
