Some off-the-head thoughts on this: Going from where you left off in regards to keeping the IDS output on the loghost, I might suggest creating email accounts on the loghost to which you directly send the mails. This wouldn't be any more difficult than sending them off-host. Then you can dictate a login method of your favorite cryptographic protocol (ssh, imaps, what-have-you). This shifts the (major) vulnerability point to the workstation from which the admins log in, but with a secure connection, this is a lot less troublesome. My other thought would be to use some sort of database to store the IDS output (local to the loghost) and have an https connection to it -- really no different from the above method in terms of vulnerability points. --rowan Lo, Jeff King and the coffee pot sang in unison: > > I'm setting a log review policy for my network, and I just wanted to get > others' input. Specifically, I'm interested in the actual machines used > for reviewing logs. > > Our setup is (I expect) pretty typical: servers log in real-time to a > central loghost (which is presumably secured since it does nothing but > accept log entries). All logs entries are stored, regardless of merit, > and IDS processing occurs on the central server. The results of the IDS > audit are mailed to the sysadmins. The sysadmins review the mails, but > infrequently look at the full logs (usually only to investigate a > problem indicated by the mails). > > For the most part, this works. However, you have a circular trust chain. > You don't trust the mail server to not get broken into, so you push its > logs off to a central logserver. However, you never look at the central > logserver; you trust the mail server to correctly display the contents > of the logserver to you. In the case of a malicious attack, deleting the > mailserver logs is on longer impossible; it's just harder (you have to > delete the logs *and* the mail). > > Have people implemented policy to deal with this? Clearly, the most > secure thing is to cut the chain of trust down to the keyboard and > monitor on the logserver. However, sitting on console on that box might > be inconvenient, especially if you want timely notices of leg entries > (if you have to physically go somewhere, you're likely to do it only > once a day). A reasonable compromise would be to keep the IDS output on > the logserver and have some way of logging in to view the output; policy > would dictate that it only be done from certain secured workstations (we > already have a policy dictating security levels of workstations). > > What are people's thoughts on this? > > -Jeff > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private -- John "Rowan" Littell Systems Administrator Earlham College Computing Services http://www.earlham.edu/~littejo/
This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 10:38:19 PDT