> On Wed, 2002-12-04 at 14:00, Tevfik Karagulle wrote: > > > > Wouldn't it be enough to configure your central log host as an NTP server > > for machines generating syslogs or other logs ? > > Sometimes you cannot do that; think, for example, of the cases when you > need to "poke yet another hole" through some firewall to allow a > host to send syslog datagrams to the logging server. In that case, > poking two holes (syslog and NTP) instead of one (syslog) might make > a big difference. > (If you don't believe one more protocol poked through the firewall > can be the cause for a major fuss, go ask the closest security > analyst :-P) > I think that the idea about syncing time is a good one. If you need to poke one well-defined port in your firewall to get that advantage, just do it! I haven't seen too much security trouble around those NTP daemons ( I remember an old one in xntpd !!). As you suggest, the real problem is syslog architecture and lacking security features. Actually, I would be more cautious to open my defenses for syslog :- )). It is natural that intermediary solutions pops up !!. Hopefully we can see some movements there. When it comes to dedicated NTP servers, that should be feasible for large scale and high performance solutions. However, I don't see any problem integrating this feature on a central log server when you have a small/midsized environment. It all depends on your priorities. Regards Tevfik Karagulle ITEFIX Consulting _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 23:42:41 PST