On a course I did a few years ago the idea of logging direct to CD-R came up. Thus meaning that if anyone ever hacked the the logging server the worst they could do was prevent any further logging but they could never delete already logged data as it was on a write once CD. The only way to destroy the data would be to gain physical access to the syslog server take the CD out and trash it in an appropriate manor. In most secure environments this is considerably more difficult than gaining network access to the system. I guess in this day and age you would probably implement such a solution using write once DVDs instead of CDs. Thinking about it a solution with two writers would probably be better as it allows continuous logging, i.e. DVD-A becomes full so commence logging on DVD-B, admin change disc in DVD-A for new blank media, when DVD-B is full go back to logging on DVD-A and so on. Mean while the DVDs get filed in a firesafe or somewhere else suitable for such things. This of course does not preclude logging to a big old hard drive or raid array or something so that you can have the data online for analysis. It just means that the hacker can't modify the DVD stored trace of his break in after the fact. Anybody ever heard of such a solution, or is it in reallity just a completely insane and impractical idea? Regards, PC _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:28:13 PST