> Is it reasonable to write logs to write-once media? One of my clients didn't want to invest in extra machines/media for secure logging for their Gauntlet firewall. However they did want to have something non-destroyable, so they figured a direct attached printer would be the best bet. This was back when Gauntlet still shipped source, so I was able to add some code to direct all but benign logs to the printer as well. This setup was obviously vulnerable to DOS simply by flooding it with log entries and using up all the paper. A person would restock the paper every morning and evening. And the syslog-to-printer daemon needed to have enough memory to keep logs in memory until they made it to the (very slow) printer, lest the rest of the logging system hang waiting for the queues to empty, but that wasn't much trouble. It held up under some pretty nasty load (~50 simultaneous satan and generic port scans, which should show you how long ago this was.) It was running fine when I left, and they were happy. Unfortunately you couldn't exactly run any log analysis tools on the result. It could only be consulted to verify the existing log integrity. And I don't think they did that much, even. But the machine was locked away, and only the firewall administrators had the key. Them logs were safe. And you could tell when a potential attack was occuring by the sounds coming from the closet... -- Brian Hatch Redmond WA -- Microsoft announced Systems and today that the official release Security Engineer date for the new operating system http://www.ifokr.org/bri/ "Windows 2000" will be delayed until the second quarter of 1901. Every message PGP signed
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 15:11:36 PST