Firewall Wizards mailing list archives

Re: "Dropsafe" logs

From: "Info Security Office - ITS - Yale Univ." <information.security () yale edu>
Date: Thu, 8 Apr 1999 16:40:24 -0400 (EDT)


How about a serial line off of the device connected to a teletypewriter
(a DecWriter IV, a high-speed Diablo, etc.)?

Firewalls (ala PIX) can be configured to log to a serial port and most
Unix/Linux bastion hosts can be configured in /etc/syslog.conf to do
the same (e.g. to /dev/ttya).

Otherwise (if not fast enough for you) you can simulate the same thing
by plugging a standalone dedicated PC into the serial port and have it
log everything written to the serial port to a disk file on the fairly
dumb (non-networked) PC.

We are seeking a means to implement real-time write-once "dropsafe" logs of

our

firewall bastion in case of a system failure or a hacker trying to cover their 
tracks.  Unfortunately, unless there's an alternative I'm not aware of, a CD-R 
requires a complete disk image in ISO 9660 format to be burned into the 
writeable disk all at once, which means we either have to wait until we have 
nearly 640 MB of logfiles to write or waste an awful lot of writeable disk 
space.  We have no operational experience with MO drives here, nor would we

want

to risk those models where write-once settings can be turned off in software. 
Sending output to a line printer is not an attractive option, nor is keeping 
around a machine that would otherwise be junk just to monitor, for example, 
serial line output from the bastion host and dump terminal sessions a few kb

at

a time to a permanent logfile.

What are others doing to maintain real-time write-once copies of firewall

logs?

Is there write-once media to which data can be written in realtime (i.e. like

real filesystem)?

AdTHANKSvance,
Scott Crawford


H. Morrow Long
Information Security Office            (203)432-1248(VOICE)
ITS, Yale University                   (203)432-0593(FAX)
INET: http://www.yale.edu/its/security mailto:information.security () yale edu
PAGE: (203)370-3081, (800)347-2574,    mailto:1165469 () pager mcb com PIN# 1165469

Current thread:

Re: "Dropsafe" logs, (continued)
- Re: "Dropsafe" logs Roelof JT Jonkman (Apr 08)
- Re: "Dropsafe" logs Jim Laverty (Apr 10)
- Re: "Dropsafe" logs Joseph S D Yao (Apr 10)
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 08)
- RE: "Dropsafe" logs Frank W. Keeney (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- RE: "Dropsafe" logs Russ (Apr 10)
- Re: "Dropsafe" logs Robert Graham (Apr 10)
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 10)
- Re: "Dropsafe" logs Info Security Office - ITS - Yale Univ. (Apr 10)