We are considering the following system for centralizing, archiving and authenticating firewall log files. Across the corporation we have m firewalls and 2 loghosts. Each loghost is in a different location and sits behind a packet filtering firewall. Each firewall would log to its local disk as well as to both log hosts. Logs will be encrypted across the wire but not on the local disk. At the end of each logging period (e.g. weekly) logs are collected from all 3 sources (loghost1, loghost2, firewall(i) local disk) compared to ensure no differences and written to an appropriate storage device (e.g. writeable CD-ROM). Assuming that all of the firewalls are appropriately configured and that the loghosts are as trusted as anything on our network, Can we be reasonably sure that the logs have not been altered? We realize that we can make no claims about the logs from a given firewall after it is compromised. But we would like to ensure that the logs from BEFORE the firewall was compromised are accurate. Is this a sound approach? anything we are overlooking or should take into account?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:39 PDT