Firewall Wizards mailing list archives
Re: Secure logging architectures
From: Andre Delafontaine <delafontaine () nagra com>
Date: Wed, 28 Nov 2001 13:33:23 +0100
I see lots of possible mechanisms to implement with, running the gamut from some type of transferring via secure copy protocol to Marcus's/NFR's Secure Log Repository.
The issue I have with this kind of implementation is that it probably won't work when you need it the most: when the attack works and the intruder has control of your host. They can stop the automatic transfer and/or change the files sent. I would prefer a more real time solution, e.g. (if the logging host is running Unix) syslogging to a port that's forwarded via a SSH tunnel to a logging host. The delay would go down from minutes or hours to 10ths of seconds. Sure, the attacker could DoS the logging server once he has access to clients, but the original info would still be there. Another solution would be to have syslog write to a named pipe and connect the output of the pipe to an ssh connection sending/grabbing info to/from the syslog server. On a side note, anyone looked in to syslogNG? André -- Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing. -- Dick Brandon delafontaine at nagra.com keyID 0A2172EE F20 DSS: 21EA 89DD 213B 8DB1 B6B5 6E42 7C22 65AD 0A21 72EE _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Secure logging architectures JB (Nov 27)
- Re: Secure logging architectures Ryan Russell (Nov 28)
- Re: Secure logging architectures Andre Delafontaine (Nov 28)
- Re: Secure logging architectures Marcus J. Ranum (Nov 28)
- Pix and W2K VPN Christoph Puetz (Nov 30)
- Re: Secure logging architectures Marcus J. Ranum (Nov 28)
- <Possible follow-ups>
- RE: Secure logging architectures Skorick, Tim (Nov 29)