On Fri, 24 Apr 1998, Anonymous wrote: [something about a lot of firewalls logging remotely to 2 loghosts] [...] > Assuming that all of the firewalls are appropriately configured and that > the loghosts are as trusted as anything on our network, Can we be > reasonably sure that the logs have not been altered? > > We realize that we can make no claims about the logs from a given firewall > after it is compromised. But we would like to ensure that the logs from > BEFORE the firewall was compromised are accurate. > There are two cryptographic protocols designed to acomplish this (PEO-1 and VCR), i reccomend you take a look at http://www.core-sdi.com/ssyslog where you can find the papers describing the protocols and an implementation of syslog that uses PEO-1 to guarantee that the logs writen to disk before an intrussion weren't modified. Emiliano Kargieman
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:59 PDT