Having correct time is a paramount consideration for a secure logging solution. One solution that is not very expensive is to use a GPS receiver connected to a PC to get the time. GPS time is pretty darn close to the atomic clocks, but that doesn't really matter anyway. What does matter is that all of your systems are on the same time. The problem that we find working in a world wide environment is that syslog only processes logs in local time. So even though the system is getting its time from a GMT time source, the syslog "corrects" the log output to GMT + timezone. So when we collect these logs from around the world, we have to correct the log entries back to GMT time. We've also experimented with moving all of the machines to GMT time. The local admins don't like that option though. If you don't want to open your firewall, then create at least 2 PC/GPS systems and deploy hopefully in different locations. Then configure your clients to point to both servers. The NTPv4 protocol does a very good job on not only keeping systems on time but also you can use authentication to make sure that your clients are only getting time updates from authorized servers. Another solution is to "proxy" NTP through the firewall using maybe some existing servers such as your DNS forwarding or SMTP servers. These machines should be very well locked down and NTP shouldn't add any additional risk to those machines. Hopefully, you have at least two machines on different networks geographically separated. Then on the inside, point a few internal systems to these "proxies". These internal machines will then become your internal time syncs that the other machines will use. I would suggest that you also use a NTPv4 external clock that provides authentication to prevent hackers from playing with your time. To use NTP configuration for a system is right next to DNS configuration in importance and order for bringing a machine on-line. My .02 Euro (now worth less than .02 USD) Ron Ogle Rennes, France > -----Original Message----- > From: tevfik [mailto:tevfikat_private] > Sent: Thursday, December 05, 2002 3:34 AM > To: loganalysisat_private > Subject: Re: [logs] reinventing syslog [was: Secure Central Log Host] > > > > On Wed, 2002-12-04 at 14:00, Tevfik Karagulle wrote: > > > > > > Wouldn't it be enough to configure your central log host > as an NTP server > > > for machines generating syslogs or other logs ? > > > > Sometimes you cannot do that; think, for example, of the > cases when you > > need to "poke yet another hole" through some firewall to allow a > > host to send syslog datagrams to the logging server. In that case, > > poking two holes (syslog and NTP) instead of one (syslog) > might make > > a big difference. > > (If you don't believe one more protocol poked through the firewall > > can be the cause for a major fuss, go ask the closest security > > analyst :-P) > > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 10:32:34 PST