Firewall Wizards mailing list archives
Re: "Dropsafe" logs
From: "Info Security Office - ITS - Yale Univ." <information.security () yale edu>
Date: Thu, 8 Apr 1999 16:40:24 -0400 (EDT)
How about a serial line off of the device connected to a teletypewriter (a DecWriter IV, a high-speed Diablo, etc.)? Firewalls (ala PIX) can be configured to log to a serial port and most Unix/Linux bastion hosts can be configured in /etc/syslog.conf to do the same (e.g. to /dev/ttya). Otherwise (if not fast enough for you) you can simulate the same thing by plugging a standalone dedicated PC into the serial port and have it log everything written to the serial port to a disk file on the fairly dumb (non-networked) PC.
We are seeking a means to implement real-time write-once "dropsafe" logs of
our
firewall bastion in case of a system failure or a hacker trying to cover their tracks. Unfortunately, unless there's an alternative I'm not aware of, a CD-R requires a complete disk image in ISO 9660 format to be burned into the writeable disk all at once, which means we either have to wait until we have nearly 640 MB of logfiles to write or waste an awful lot of writeable disk space. We have no operational experience with MO drives here, nor would we
want
to risk those models where write-once settings can be turned off in software. Sending output to a line printer is not an attractive option, nor is keeping around a machine that would otherwise be junk just to monitor, for example, serial line output from the bastion host and dump terminal sessions a few kb
at
a time to a permanent logfile. What are others doing to maintain real-time write-once copies of firewall
logs?
Is there write-once media to which data can be written in realtime (i.e. like
a
real filesystem)? AdTHANKSvance, Scott Crawford
H. Morrow Long Information Security Office (203)432-1248(VOICE) ITS, Yale University (203)432-0593(FAX) INET: http://www.yale.edu/its/security mailto:information.security () yale edu PAGE: (203)370-3081, (800)347-2574, mailto:1165469 () pager mcb com PIN# 1165469
Current thread:
- Re: "Dropsafe" logs, (continued)
- Re: "Dropsafe" logs Roelof JT Jonkman (Apr 08)
- Re: "Dropsafe" logs Jim Laverty (Apr 10)
- Re: "Dropsafe" logs Joseph S D Yao (Apr 10)
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 08)
- RE: "Dropsafe" logs Frank W. Keeney (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- RE: "Dropsafe" logs Russ (Apr 10)
- Re: "Dropsafe" logs Robert Graham (Apr 10)
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 10)
- Re: "Dropsafe" logs Info Security Office - ITS - Yale Univ. (Apr 10)