As part of a Security audit project for a big firm we are doing a review of the rules on the firewalls.
During this exercise we came across many rules with keyword "any" in either source ip, destination ip or destination ports which per policy need to be locked down to specifics.
what would be the best way to find out whats flowing through ?
2 scenarios
a)for a small site - logging/capture packets ??any tool to simplify logs and packet capture data and put it into a more understandable format ?
b)for a datacenter firewall which receives close to a million hits a day for just a single rule any suggestions on what tool can be employed to capture destination port information ??
Again whole idea is to find out if there any tool/system to capture whats flowing through the firewall without reaching out to the it folks for documents:)
Also if logging is enabled would it increase the traffic flow/cpu utilization ?
Thanks,
Harsha