Re: syslog and network management

["Darden, Patrick S." <darden () armc org>]

Nad,

You seemed to be asking 3 questions:

1.  Is it a good idea to have a centralized log server for a plethora of devices and servers?  My answer is yes--it is 
considered best practice.
2.  Is it a good idea to have other server services like NTP on the box?  My answer is no.  You should turn off all 
services that aren't absolutely necessary for reasons of security.  Most servers I would say sure--go ahead.  But one 
of the main reasons for having a centralized log server is for security.  Put a firewall on that box.  Turn off extra 
services.  Keep it locked up tight.  You will be happy when you have to consult it for a routine audit, happier when HR 
or Admin needs to know something for sure, and even happier when the FBI or whomever shows up with a warrant or a court 
order.
3.  Performance-wise, is there anything special needed?  Not really.  It depends on the size of the network, number of 
devices, how much detail you are recording, etc.  What you describe is a good basis for starting.  Proably the three 
best things you could do would be: dual core cpu (any decent ghz), a great NIC (or two, lots of udp bursts from 
syslog), and lots of storage (you would want to keep at least 1 year in local drive space).

--Patrick Darden
--ARMC


-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
shadow floating
Sent: Tuesday, February 19, 2008 3:52 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] syslog and network management


thanks alot patrick, i was not actually asking about the centralized
log server issue as i believe in it...but is it appropriate to add
firewall and router management applications to be installed onto that
server , like ciscoworks and the like?..or it's better to add another
separate management machine in addition to the syslog machine from the
security point of view

thanks alot

Nad

On Feb 19, 2008 8:35 PM, Darden, Patrick S. <darden () armc org> wrote:
> Having a centralized log server is actually definced as best
> practice.  It is generally felt that it should only be
> the log server though, all other services turned off,
> firewall in place, etc. so it can be inviolate for all
> auditing, legal procedures, security traces, etc.
>
> The case for centralized logging:
> http://ebuzzsaw.com/whitePapers/Case_for_Centralize_Logging.htm
>
>
>
>
> -----Original Message-----
> From: firewall-wizards-bounces () listserv icsalabs com
> [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
> shadow floating
> Sent: Tuesday, February 19, 2008 10:20 AM
> To: Firewall Wizards Security Mailing List
> Subject: [fw-wiz] syslog and network management
>
>
> Hi all,
> is it appropriate from security point of view to have one server in
> which syslog is installed to colledt logs from all network devices
> (firewalls, switches and routers), in addition to installing
> management software to like ciscoworks on the same machine, in
> addition to using this machine as a network time server to sync all
> network devices?, if yes does any one recommed certain specs for this
> machine or it can be an ordinary machine with 1 GB of memory and 512
> GB hard disk and 3.2 GHz processor.
>
> thanks alot
>
> regards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards