Re: [logs] How are people bringing DMZ syslog msgs into the central server?

From: Klaus Moeller (moellerat_private)
Date: Mon Jan 20 2003 - 10:08:59 PST

  • Next message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    On Monday 20 January 2003 02:04, you wrote:
    > What with the desire for real-time alerts, how are people bringing
    > those logs in?
    > Typically it's not considered a good idea to allow arbitrary incoming
    > UDP packets from a DMZ to a LAN, similarly, people don't feel happy
    > putting the central syslog server out in the DMZ, so how do you put
    > those two limiting factors together?
    Well, there are things you want, and those you have to. If you have old 
    syslog devices in you DMZ, that cannot talk syslog over TCP, you have 
    to use UDP for now.
    If you use a dedicated log server and a DMZ with packet filters on both 
    ends, you can put the log server in a dedicated zone or in the internal 
    zone if resources are really tight. Spoofing UDP packets is not that 
    much of a problem, as you can completely block syslog packets on the 
    outer packet filter and allow only incoming packets with DMZ source 
    addresses to the syslog port on the log server on the internal packet 
    filter. Flooding remains a problem, but only if the attacker gains 
    access to one of the DMZ hosts. But when he/she has this access, TCP 
    flooding is also possible. 
    		Klaus Moeller, DFN-CERT
    - -- 
    Klaus Moeller          |                      mailto:moellerat_private
    DFN-CERT GmbH          |  
    Heidenkampsweg 41      |                        Phone: +49(40)808077-555
    D-20097 Hamburg        |                          FAX: +49(40)808077-556
    Germany	               |              PGP-Key: RSA 2048 Bit ID: 0BB7C8F9
    Version: 2.6.2i
    -----END PGP SIGNATURE-----
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 10:32:56 PST