RE: [loganalysis] Re: Central syslog server best practices?

From: Ogle Ron (Rennes) (OgleRat_private)
Date: Tue Aug 14 2001 - 17:04:30 PDT

  • Next message: Corey Steele: "Re: [loganalysis] spotting failures"

    We have a similar setup with front end DMZs (where the web servers go), back
    end DMZs (where the database servers go), and monitoring DMZs (where syslog
    and other servers go).  But all DMZs go through the firewall so your not
    getting past the 100Mb interfaces on the firewall.
    
    Do you mean that you have 3 interfaces on every machine or at least 2 where
    at least 1 interface is connected to a LAN segment that connects your
    logging machine?  Or is there a separate firewall from your front end
    firewall where this administrative traffic is filtered?
    
    If it is the first answer, how do you protect your log server from a
    break-in on one of your web servers?  I've seen many people try to explain
    that by putting a second interface on a box without firewall protection to
    use for administration makes the administrative LAN safe.  
    
    The only thing that this does is make the hacker happy.  Once the hacker
    owns one of your web front ends, then he/she has full access to all of the
    interfaces on that box.  This means that he/she now has full access to that
    administrative network and all of the machines on that LAN without benefit
    of a firewall to protect your log server from being attacked on all ports.
    
    What's worse is that these people even use an automatic SSH or SSL
    connection directly to the log server.  This means that now the hacker has
    direct SSH connection right on the log server without having to guess a
    password.  They do this believing that they are protecting the channel, but
    in reality they are hiding all activity of the hacker from any sniffer or
    NIDS.
    
    I believe the best solution is to make sure that the log server is on it's
    own LAN protected from all other machines by a firewall.  To move the logs,
    only allow the normal syslog or equivalent program to run to the log server
    from the "clients".  Do NOT try to protect this channel with null password
    public key authentication over IPsec, SSH or SSL.
    
    Ron Ogle
    Thomson multimedia
    oglerat_private
    
    > -----Original Message-----
    > From: Nate Campi [mailto:nateat_private]
    > Sent: Tuesday, August 14, 2001 1:51 AM
    > To: Greg Broiles
    > Cc: Marlys A Nelson; loganalysisat_private
    > Subject: Re: [loganalysis] Re: Central syslog server best practices?
    > 
    > 
    > We've implemented a three-network topology in our newer datacenter
    > networks. We have a "front-net" for live internet traffic, a 
    > "mid-net" for
    > server to server traffic (for database access, multi-tiered 
    > apps, etc) and
    > a "back-net" for administrative traffic like syslog traffic 
    > and pulling
    > logs from servers for hit tracking.
    > 
    > 
    > I tend to agree with MJ Ranum, that many of the problems lie with
    > standard syslog daemons, and the underlying OS. I use 
    > syslog-ng with TCP
    > connections to minimize loss of log traffic, so far so good.
    > -- 
    > Nate Campi  (415) 276-8678  UNIX Ops, Terra Lycos - WiReD SF
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    > 
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 11:19:19 PDT