Firewall Wizards mailing list archives
Re: Secure logging architectures
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Wed, 28 Nov 2001 13:09:14 -0500
Andre Delafontaine wrote:
> I see lots of possible > mechanisms to implement with, running the gamut from some type of > transferring via secure copy protocol to Marcus's/NFR's Secure Log > Repository. The issue I have with this kind of implementation is that it probably won't work when you need it the most: when the attack works and the intruder has control of your host. They can stop the automatic transfer and/or change the files sent.
It depends on timing, of course. Copying logs off a machine, no matter how "real time" you make it, will have a small window in which something can be altered. The NFR SLR architecture is basically listening on the end of the log file and copies stuff off immediately when there's new data. It depends on the latency of the select( ) system call on the underlying platform but that's pretty quick. :)
I would prefer a more real time solution, e.g. (if the logging host is running Unix) syslogging to a port that's forwarded via a SSH tunnel to a logging host. The delay would go down from minutes or hours to 10ths of seconds. Sure, the attacker could DoS the logging server once he has access to clients, but the original info would still be there.
Really, that's no different from what SLR does except that there's _also_ a file on the machine. Having an SSH tunnel listening to a port means you've got a process in a select( ) read and having a (albeit proprietary) tunnel listening on a a file means you've got a process in a select( ) read and you can also checkpoint data across reboots and you don't lose the contents of the tunnel if the system crashes. 10ths of seconds is very generous estimate, BTW, it's more like sub-1000ths of seconds...
Another solution would be to have syslog write to a named pipe and connect the output of the pipe to an ssh connection sending/grabbing info to/from the syslog server.
This doesn't survive crash or reboot very well. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security Inc. Work: http://www.nfr.com Play: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Secure logging architectures JB (Nov 27)
- Re: Secure logging architectures Ryan Russell (Nov 28)
- Re: Secure logging architectures Andre Delafontaine (Nov 28)
- Re: Secure logging architectures Marcus J. Ranum (Nov 28)
- Pix and W2K VPN Christoph Puetz (Nov 30)
- Re: Secure logging architectures Marcus J. Ranum (Nov 28)
- <Possible follow-ups>
- RE: Secure logging architectures Skorick, Tim (Nov 29)