RE: Syslog set up

[Mark Tinberg <mtinberg () securepipe com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 24 Jul 2003, Melson, Paul wrote:

> !-- Also, using TCP syslog can cause the PIX to freeze if it can't
> !-- communicate with the syslog server - once the log buffer is full
> !-- it stops passing traffic.  Use UDP if at all possible.

Also be advised that using UDP syslog will guarantee that sooner or later
you will lose or corrupt logs.  Anything that could cause packet loss on
the link between the syslog server and the PIX, such as a busy switch or
router, or an attack on your site that generates a large quantity of log
messages, will cause packets to be dropped which will cause log messages
to be permanently lost.  Also any schmo can craft UDP packets that appear
to come from your PIX and have bogus messages in them, and I don't think
you'll have any way to ever tell the difference.

Depending on your security posture, having your PIX freeze up if the link
to your syslog server goes down may be an acceptable comprimise for more
reliable and complete logs.   In either case though, you should make every
effort to make sure that your syslog service is never inaccessable,
otherwise you may go blind.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67

        Your daily fortune . . .

If some people didn't tell you, you'd never know they'd been away on vacation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/IIgWFu7F5OUjbGcRAt/4AKDIGrTKtLdfg5JFHGt8KJpGzt8rzACglvPE
y0T6UNCgzVIO0iEPq7mrfBI=
=PbgM
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards