Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Secure logging architectures

From: "Marcus J. Ranum" <mjr () nfr com>
Date: Wed, 28 Nov 2001 13:09:14 -0500
Andre Delafontaine wrote:

> I see lots of possible
> mechanisms to implement with, running the gamut from some type of
> transferring via secure copy protocol to Marcus's/NFR's Secure Log
> Repository.

The issue I have with this kind of implementation is that it probably
won't work when you need it the most: when the attack works and the
intruder has control of your host. They can stop the automatic transfer
and/or change the files sent.


It depends on timing, of course. Copying logs off a machine, no matter
how "real time" you make it, will have a small window in which something
can be altered. The NFR SLR architecture is basically listening on the end
of the log file and copies stuff off immediately when there's new data. It
depends on the latency of the select( ) system call on the underlying
platform but that's pretty quick. :)


I would prefer a more real time solution, e.g. (if the logging host is
running Unix) syslogging to a port that's forwarded via a SSH tunnel to
a logging host. The delay would go down from minutes or hours to 10ths
of seconds. Sure, the attacker could DoS the logging server once he has
access to clients, but the original info would still be there.


Really, that's no different from what SLR does except that there's
_also_ a file on the machine. Having an SSH tunnel listening to a
port means you've got a process in a select( ) read and having a
(albeit proprietary) tunnel listening on a a file means you've got
a process in a select( ) read and you can also checkpoint data
across reboots and you don't lose the contents of the tunnel if
the system crashes.  10ths of seconds is very generous estimate,
BTW, it's more like sub-1000ths of seconds...


Another solution would be to have syslog write to a named pipe and
connect the output of the pipe to an ssh connection sending/grabbing
info to/from the syslog server.


This doesn't survive crash or reboot very well.

mjr.
---
Marcus J. Ranum     Chief Technology Officer, NFR Security Inc.
Work:  http://www.nfr.com
Play: http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: