On Fri, 12 Oct 2001, Sweth Chandramouli wrote: > On Fri, Oct 12, 2001 at 02:54:41AM -0400, Jeff King wrote: > > Have people implemented policy to deal with this? Clearly, the most > > secure thing is to cut the chain of trust down to the keyboard and > > monitor on the logserver. However, sitting on console on that box might > > be inconvenient, especially if you want timely notices of leg entries > > (if you have to physically go somewhere, you're likely to do it only > > once a day). A reasonable compromise would be to keep the IDS output on > > the logserver and have some way of logging in to view the output; policy > > would dictate that it only be done from certain secured workstations (we > > already have a policy dictating security levels of workstations). > As always, security is a matter of trade-offs; if you > want a more convenient method of seeing security data, you generally > have to open up security holes. That said, you could minimize the risk > by having the IDS output on the loghost be, perhaps, automatically burned > to CD, and have the most recent x CDs mounted on a server to which those > secure workstations can attach; the loghost would thus not to have any > holes opened up in its security, while the security analysts could have > a fairly high level of confidence that the IDS information they are > seeing on the potentially-compromisable "viewing" host has not been > tampered with. (If an intruder did compromise the viewing host, of > course, they could do things like remap the mounts to point to bogus > data, but such tricks would probably be noticed fairly quickly. Nothing > is 100% foolproof, however.) > Note that such a solution is, definitionally, an off-line > (non-real-time) one, and as such should be used to supplement a > real-time active notification system such as the one you currently use. Actually I was going to let this whole discussion slide. But I just wanted to note that we have a central logserver that is entirely OOB (Out Of Band) using serial lines and terminals. The terminals actually connect to a buffer system (for lack of a better word) that mediates logins and runs the analysis softwares. The buffer system has a serial connection to the logging server that allows output of data but no login. The only way to login to the logging server is to physically go into the machine room to the console. And yes - if you intercept the off-site tapes from the logserver then you have to crack the encryption - eh. > -- Sweth. > > -- > Sweth Chandramouli ; <svcat_private> > President, Idiopathic Systems Consulting Cool corporate name! ;-} -------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 x101 Email: mgmat_private WWW: http://www.paktronix.com -------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 11:33:14 PDT