Firewall Wizards mailing list archives
RE: websiite log transfers from exposed to internal nets:
From: Linc B <listbot () mailandnews com>
Date: Mon, 23 Jun 2003 03:26:50 -0400
Sorry to reply with a me-too, but you asked for confirmation. Your view is not at all lopsided or skewed. You didn't even say *doze, but the moderator did, so I won't feel out of line for following suit. A policy that allows extra work or cost of ownership as acceptable reasons for less security is lopsided. If you were serious about these being the objections, the first step is to better security is to review the policy. Failing that, I would go with Paul's alternative of putting a *nix box beside the *dozers to act as a transfer point. It's still work, but the material cost is surplus parts and open source licenses. If they balk at the cost of another box, you really only need a 486 with minimal ram, little hard drive space for the system itself, but large enough for the logs you want to transfer. No gui, no keyboard, no mouse, no monitor, no access to anywhere, no access from anywhere except ssh from the *doze boxes and the internal *nix box. If cost of licensing really is an issue (but they chose a commercial server platform, so why nitpick about the cost of securing it), well known and widely used free scp clients are available for win32. It's a safer bet than opening yet another port on a *doze box and entrusting ssh server administration to administrators who see it as extra work. Devdas suggested encrypting the logs with GnuPG and mailing them. I've done this to tranfer logs from *nix to *nix to avoid setting up automated ssh logins between two boxes that already accepted mail from each other but had no other need to open ssh to each other. I would avoid adding mail to the *doze servers if no other reason exists for the servers to have mail clients, but it does eliminate the need for leaving ssh keys or passwords on publicly accessible boxes. Either method raises a risk. LB _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- websiite log transfers from exposed to internal nets: R. DuFresne (Jun 22)
- Re: websiite log transfers from exposed to internal nets: Paul Robertson (Jun 22)
- Re: websiite log transfers from exposed to internal nets: Richard Threadgill (Jun 22)
- <Possible follow-ups>
- RE: websiite log transfers from exposed to internal nets: R. DuFresne (Jun 22)
- Re: RE: websiite log transfers from exposed to internal nets: Devdas Bhagat (Jun 22)
- RE: websiite log transfers from exposed to internal nets: Linc B (Jun 23)