Re: [logs] How are people bringing DMZ syslog msgs into the central server?

• Previous message: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• In reply to: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Next in thread: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Mikael,
  I'm not sure what you mean by heaps of functionality but it really isn't that
difficult. The use of stunnel is more for protecting the data while in transport
rather than from an attacker on the machine.
I don't really like the idea of passing all of the logs from one point of the
DMZ to another for everyone to see. Should only a single box within the DMZ get
cracked than the attacker cannot simply sniff the traffic to determine
information from the logs.
Lots of times simply watching logs fly by will give enough information for a
very pointed attack. That's the last thing I want to have happen. And I'm more
than willing to pay for it in overhead of crypto.

Cheers,
Harry
 
Quoting Mikael Olsson <mikael.olssonat_private>:

*> 
*> 
*> Harry Hoffman wrote:
*> >
*> > Hi Jason,
*> >   We are using syslog-ng and stunnel to accomplish this.
*> > We pump everything from the client over a secure tunnel
*> > into our syslog server.
*> 
*> This is from your dmz to your internal network?
*> stunnel?
*> 
*> Talk about exposing heaps of functionality.
*> You've gone from exposing a couple of hundred lines of simple message
*> processing to hundreds of _thousands_ of lines of crypto code.
*> 
*> Unless you have a very compelling reason for attempting to protect
*> the boxes in the dmz from tampering with eachother's log streams
*> (because stunnel certainly doesn't prevent an intruder on Box A
*> from tampering with the stream from Box A, or from attacking the
*> message processing layer on the inside log receiver), I'd remove
*> stunnel and just go with plain tranport.
*> 
*> 
*> --
*> Mikael Olsson, Clavister AB
*> Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
*> Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
*> Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
*> 


-- 
Harry Hoffman
ITSS Systems Team Leader
University of Auckland
hhoffmanat_private
hhoffman@ip-solutions.net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
*********************************************


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Paul D. Robertson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Previous message: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• In reply to: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Next in thread: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 15:27:32 PST