Re: [logs] log review policies

• Previous message: Marcus J. Ranum: "[logs] mailers (was Re: [logs] log review policies)"
• In reply to: Russell Fulton: "Re: [logs] log review policies"
• Next in thread: Ralf Hildebrandt: "Re: [logs] log review policies"
• Next in thread: Marcus J. Ranum: "[logs] mailers (was Re: [logs] log review policies)"
• Reply: Ralf Hildebrandt: "Re: [logs] log review policies"
• Reply: Nick Vargish: "Re: [logs] log review policies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 18 Oct 2001, Russell Fulton wrote:

> What about using HTTPS secured basic authentication (based on apache,
> of course ;-) I agree that it is larger and more complex than one would
> like but it is well understood and most outfits have people who know it
> well enough to set it up securely.  It already handles a wide variety of

That would certainly work for getting the logs out without (presumably)
opening up any holes on the log box. What I'm most concerned about,
though, is the link between the admin's eyes and the (assumed secure on
the logbox) logs.

That is, I'm worried not about circumventing the authentication on the
logbox to view or change the logs, but that the admin workstation be
compromised, leading to incorrect log review.

To give an example, without a logbox you have the following problem:

- attacker breaks into mail server
- attacker deletes logs from mail server
- admin has no idea that attack occurred

To solve this, we log centrally to a "more secure" server. But you have
the situation:

- attacker breaks into mail server
- logs are sent to logserver
- attacker deletes local copies of log
- logs are processed on logserver and alarming entries are found
- mail is sent to admin
- attacker deletes mail to admin (or deletes information about alarming
  entries)

So it seems beneficial (without creating any additional difficulties) to
switch to:

- attacker breaks into mail server
- logs are sent to logserver
- attacker deletes local copies
- logs are processed, alarms found
- admin reviews logs through direct connection between workstation and
  log box (presumably ssh or ssl)

Now the attacker must compromise either the log box or the workstation.
The log box clearly must be part of the equation, since it holds the
logs. However, the workstation does not have to be. And in fact, imagine
you have a NIDS logging to the log box. It detects somebody Back
Orificing your workstation. But the admin never sees the log because the
Back Orificing attacker is able to intercept the logs not as they are
logged but as they are being reviewed (so they are correctly logged, but
nobody reads them).

Clearly, it's more secure to require a physical use of the log box, at
increased inconvenience. I was mainly interested in where people drew
the line in this case.

-Jeff


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

• Next message: Gildas PERROT: "[logs] Best software between : swatch, logsurfer and wots ?"
• Previous message: Marcus J. Ranum: "[logs] mailers (was Re: [logs] log review policies)"
• In reply to: Russell Fulton: "Re: [logs] log review policies"
• Next in thread: Ralf Hildebrandt: "Re: [logs] log review policies"
• Next in thread: Marcus J. Ranum: "[logs] mailers (was Re: [logs] log review policies)"
• Reply: Ralf Hildebrandt: "Re: [logs] log review policies"
• Reply: Nick Vargish: "Re: [logs] log review policies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 07:26:27 PDT