Re: [logs] log review policies

From: peff-loganalat_private
Date: Fri Oct 19 2001 - 14:04:20 PDT

  • Next message: Sweth Chandramouli: "Re: [logs] log review policies"

    On Fri, 19 Oct 2001, Matthew G. Marsh wrote:
    
    > structure methodology. To that end I am also a big promoter/user of SNMP.
    > We make extensive use of SNMPv3 in many of our managed security
    > structures. This is the framework behind the following technique:
    
    I haven't used SNMP in years...what defenses does v3 provide against
    spoofing?  Assuming that strong cryptographic authentication could be
    used, then this sounds like a great idea for doing central system
    management.
    
    I suppose you could also just do cryptographic signing at the layer
    above SNMP. I assume you're also working on some sort of timeout at the
    central server...that is, if you don't receive a hash in N seconds, an
    alarm is tripped.
    
    > You have to crack one of these systems within 5 minutes in such a manner
    > as to change the OOB logging, AND disable the SNMP trapping mechanism, AND
    > disable the host IDS mechanism, AND finally make sure that you send back
    > appropriately spoofed hashes.
    
    This would be a perfect scenario for a ``hacking'' scene from a
    Hollywood film. :)
    
    > Nothing is perfect but experience teaches that several short barbed wire
    > fences separated by moats is much much better than one large fence...
    
    Agreed.
    
    -Jeff
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 19:01:14 PDT