Re: [logs] How are people bringing DMZ syslog msgs into the central server?

• Previous message: Buck Buchanan: "Re: [logs] Log Analysis for Law Enforcement"
• In reply to: Jason Haar: "[logs] How are people bringing DMZ syslog msgs into the central server?"
• Next in thread: Harry Hoffman: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Monday 20 January 2003 02:04, you wrote:
> What with the desire for real-time alerts, how are people bringing
> those logs in?
>
> Typically it's not considered a good idea to allow arbitrary incoming
> UDP packets from a DMZ to a LAN, similarly, people don't feel happy
> putting the central syslog server out in the DMZ, so how do you put
> those two limiting factors together?

Well, there are things you want, and those you have to. If you have old 
syslog devices in you DMZ, that cannot talk syslog over TCP, you have 
to use UDP for now.

If you use a dedicated log server and a DMZ with packet filters on both 
ends, you can put the log server in a dedicated zone or in the internal 
zone if resources are really tight. Spoofing UDP packets is not that 
much of a problem, as you can completely block syslog packets on the 
outer packet filter and allow only incoming packets with DMZ source 
addresses to the syslog port on the log server on the internal packet 
filter. Flooding remains a problem, but only if the attacker gains 
access to one of the DMZ hosts. But when he/she has this access, TCP 
flooding is also possible. 

Regards,
		Klaus Moeller, DFN-CERT

- -- 
Klaus Moeller          |                      mailto:moellerat_private
DFN-CERT GmbH          |            http://www.cert.dfn.de/team/moeller/
Heidenkampsweg 41      |                        Phone: +49(40)808077-555
D-20097 Hamburg        |                          FAX: +49(40)808077-556
Germany	               |              PGP-Key: RSA 2048 Bit ID: 0BB7C8F9

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQEVAwUBPiw7PIrEggYLt8j5AQEQmggAsIvwNT9Ed8aO4qH+bMvZB/T/UL5/PTAV
MClV5fFzy9gzUSB6nD0I7hQuMaE/AP4qR1sTlcnGCgsm63GcGrQ+xk0SVLplqqxV
HWU27E76BLO9IvlzX+A8mnjpIrELH4iFAc+lQOHf2hbJeQm7i2YikH4y2hd0pZbp
/8TdRRFaf4oHrY7aoQQ3AtBfjU1I2RVPWs2JghnWPIJI+KjH6H8HpX+MFnv/rXEN
zT4tbsrhVxQ7OGd/GPrY72SjP95KP7eXMjeQnySoeULGkzXslXSbkXmu6mO0e5e6
BvbVx5hLV17EcMISO6bXr/Fwg83y9v6dkYZJJCrQUIT/H+/KIcFybA==
=MMxC
-----END PGP SIGNATURE-----
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Previous message: Buck Buchanan: "Re: [logs] Log Analysis for Law Enforcement"
• In reply to: Jason Haar: "[logs] How are people bringing DMZ syslog msgs into the central server?"
• Next in thread: Harry Hoffman: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 10:32:56 PST