Jason Haar wrote: > > What with the desire for real-time alerts, how are people bringing those > logs in? > > Typically it's not considered a good idea to allow arbitrary incoming UDP > packets from a DMZ to a LAN, similarly, people don't feel happy putting the > central syslog server out in the DMZ, so how do you put those two limiting > factors together? I'd say that the most secure solution is to allow the DMZ boxes to send the log data straight to the log collector. At least, it SHOULD be. Unfortunately, this isn't as straightforward an assumption as it one would think it to be. Examples: - Two recent syslog-ng snafus: http://www.securiteam.com/unixfocus/6H00E0K5PW.html http://www.securiteam.com/unixfocus/6G00R1P0AM.html - Syslog as well as syslog-ng crashes when an output file exceeds the 2GB file size limit. Sending 2GB of "harmless" events takes less than five minutes over 100Mbps ethernet. After this, the log receiver (and hence the alerting facility) is disabled, and will no longer react to "evil" events. Oops. However, I'd argue that doing rsync/scp/whatever exposes _more_ functionality than just opening 514/udp, even if such sessions are only periodically initiated from the inside. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 14:26:33 PST