On Fri, Oct 12, 2001 at 02:54:41AM -0400, Jeff King wrote: > Have people implemented policy to deal with this? Clearly, the most > secure thing is to cut the chain of trust down to the keyboard and > monitor on the logserver. However, sitting on console on that box might > be inconvenient, especially if you want timely notices of leg entries > (if you have to physically go somewhere, you're likely to do it only > once a day). A reasonable compromise would be to keep the IDS output on > the logserver and have some way of logging in to view the output; policy > would dictate that it only be done from certain secured workstations (we > already have a policy dictating security levels of workstations). As always, security is a matter of trade-offs; if you want a more convenient method of seeing security data, you generally have to open up security holes. That said, you could minimize the risk by having the IDS output on the loghost be, perhaps, automatically burned to CD, and have the most recent x CDs mounted on a server to which those secure workstations can attach; the loghost would thus not to have any holes opened up in its security, while the security analysts could have a fairly high level of confidence that the IDS information they are seeing on the potentially-compromisable "viewing" host has not been tampered with. (If an intruder did compromise the viewing host, of course, they could do things like remap the mounts to point to bogus data, but such tricks would probably be noticed fairly quickly. Nothing is 100% foolproof, however.) Note that such a solution is, definitionally, an off-line (non-real-time) one, and as such should be used to supplement a real-time active notification system such as the one you currently use. -- Sweth. -- Sweth Chandramouli ; <svcat_private> President, Idiopathic Systems Consulting
This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 10:38:47 PDT