Re: logging questions

["Emiliano Kargieman (CORE)" <ek () securenetworks com>]

On Fri, 24 Apr 1998, Anonymous wrote:

[something about a lot of firewalls logging remotely to 2 loghosts]
[...]
> Assuming that all of the firewalls are appropriately configured and that
> the loghosts are as trusted as anything on our network, Can we be
> reasonably sure that the logs have not been altered?
>
> We realize that we can make no claims about the logs from a given firewall
> after it is compromised.  But we would like to ensure that the logs from
> BEFORE the firewall was compromised are accurate.

There are two cryptographic protocols designed to acomplish this 
(PEO-1 and VCR), i reccomend you take a look at
http://www.core-sdi.com/ssyslog where you can find the papers describing
the protocols and an implementation of syslog that uses PEO-1 to guarantee
that the logs writen to disk before an intrussion weren't modified.


Emiliano Kargieman