[logs] Secure Central Log Host

• Previous message: abhinav tiwari: "[logs] Re: LogAnalysis digest, Vol 1 #43 - 2 msgs"
• Next in thread: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• Reply: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

I am currently designing a secure central log host. Obviously, I face a
number of challenges. One thing I hold for important is the location of
the database used to store the repository. Obviously, my central log
server will be a hardened machine placed in a secure part of my network.
So I feel bad about placing the database engine on that same machine -
after all, the DB might be queried by security admins to work with it.
So I would need to open up a number of ports that I do not really like
to open....

Another approach is to have a second machine just running the database.
Then, again two options. I can allow the first machine ("collector") to
talk to the database server ("repository") via the native database
protocol. Thus the collector is a "regular" database client - I need to
open up some ports, but definitely no server ports. All events are
stored in the repository and queried by the admin from there. Fine -
BUT: now the repository can of course be compromised and it might even
compromise the collector over weaknesses in the db protocol. Bad.

Ok, next approach: the collector forwards events to the repository via
syslog protocol. No need to allow any db connectivity between the two.
But again, the repository can be tampered by the admins. Also, on second
thought, I have just introduced another relay (and point of failure).

Mmmhhh - what if we run a database on the collector AND the repository?
The one one the collector is not allowed to talk to the network so this
should be secure. Events are forwarded to the repository via syslog, so
this should again be fine. So here, we are actually back to a
collector&repository in one and the second server is more or less a
working copy for the security admins.

I finally came up with the following idea:

  Collector
  - stores incoming events in flat files inside file system --> written
to CD on a schedule
  - forwards via syslog to the repository machine

  Repository
  - stores incomign events in the database
  - this database is used for admin review. Conceptually, it is
read-only, but if in doubt (or legal investigation), the flat files from
the collector will be used

Does this sound as overkill? Are there any other (proven) approches?

Any advise or comment is highly appreciated.

Rainer Gerhards
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: WindexKing: "Re: [logs] Fight Back"
• Previous message: abhinav tiwari: "[logs] Re: LogAnalysis digest, Vol 1 #43 - 2 msgs"
• Next in thread: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• Reply: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 07:01:07 PDT