We have a similar setup with front end DMZs (where the web servers go), back end DMZs (where the database servers go), and monitoring DMZs (where syslog and other servers go). But all DMZs go through the firewall so your not getting past the 100Mb interfaces on the firewall. Do you mean that you have 3 interfaces on every machine or at least 2 where at least 1 interface is connected to a LAN segment that connects your logging machine? Or is there a separate firewall from your front end firewall where this administrative traffic is filtered? If it is the first answer, how do you protect your log server from a break-in on one of your web servers? I've seen many people try to explain that by putting a second interface on a box without firewall protection to use for administration makes the administrative LAN safe. The only thing that this does is make the hacker happy. Once the hacker owns one of your web front ends, then he/she has full access to all of the interfaces on that box. This means that he/she now has full access to that administrative network and all of the machines on that LAN without benefit of a firewall to protect your log server from being attacked on all ports. What's worse is that these people even use an automatic SSH or SSL connection directly to the log server. This means that now the hacker has direct SSH connection right on the log server without having to guess a password. They do this believing that they are protecting the channel, but in reality they are hiding all activity of the hacker from any sniffer or NIDS. I believe the best solution is to make sure that the log server is on it's own LAN protected from all other machines by a firewall. To move the logs, only allow the normal syslog or equivalent program to run to the log server from the "clients". Do NOT try to protect this channel with null password public key authentication over IPsec, SSH or SSL. Ron Ogle Thomson multimedia oglerat_private > -----Original Message----- > From: Nate Campi [mailto:nateat_private] > Sent: Tuesday, August 14, 2001 1:51 AM > To: Greg Broiles > Cc: Marlys A Nelson; loganalysisat_private > Subject: Re: [loganalysis] Re: Central syslog server best practices? > > > We've implemented a three-network topology in our newer datacenter > networks. We have a "front-net" for live internet traffic, a > "mid-net" for > server to server traffic (for database access, multi-tiered > apps, etc) and > a "back-net" for administrative traffic like syslog traffic > and pulling > logs from servers for hit tracking. > > > I tend to agree with MJ Ranum, that many of the problems lie with > standard syslog daemons, and the underlying OS. I use > syslog-ng with TCP > connections to minimize loss of log traffic, so far so good. > -- > Nate Campi (415) 276-8678 UNIX Ops, Terra Lycos - WiReD SF > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 11:19:19 PDT