Re: Secure logging architectures

[Andre Delafontaine <delafontaine () nagra com>]

> I see lots of possible
> mechanisms to implement with, running the gamut from some type of
> transferring via secure copy protocol to Marcus's/NFR's Secure Log
> Repository. 

The issue I have with this kind of implementation is that it probably
won't work when you need it the most: when the attack works and the
intruder has control of your host. They can stop the automatic transfer
and/or change the files sent.

I would prefer a more real time solution, e.g. (if the logging host is
running Unix) syslogging to a port that's forwarded via a SSH tunnel to
a logging host. The delay would go down from minutes or hours to 10ths
of seconds. Sure, the attacker could DoS the logging server once he has
access to clients, but the original info would still be there.

Another solution would be to have syslog write to a named pipe and
connect the output of the pipe to an ssh connection sending/grabbing
info to/from the syslog server.


On a side note, anyone looked in to syslogNG?

André
-- 
Documentation is like sex: when it is good, it is very, very good; and
when it is bad, it is better than nothing.
                -- Dick Brandon

          delafontaine at nagra.com  keyID 0A2172EE
  F20 DSS: 21EA 89DD 213B 8DB1 B6B5  6E42 7C22 65AD 0A21 72EE
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards