RE: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)

From: Ogle Ron (Rennes) (ron.ogleat_private)
Date: Tue Jan 28 2003 - 12:48:38 PST

  • Next message: Bennett Todd: "Re: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)"

    A change of direction here.  For those of you who incorporate an
    architecture like was described from Nate, how do you make sure that the
    "middle" or "back" network is not used as a conduit for a compromised system
    to compromise other systems?  I'm getting an impression from Nate's
    description that the "middle" and "back" networks are continuous.
    What I mean is that you have machines A and B with three interfaces, 1
    (front),2 (middle), and 3 (back) where the middle LAN interface on machine B
    would be notated B2.  Now lets suppose that machine A is a web server and
    machine B is a database server and machine A gets compromised.  How do you
    make sure that the middle or back LANs comprised of A2 and B2 or A3 and B3
    respectively isn't used to compromise server B?  Use a firewall, and then
    how do you subdivide?
    Ron Ogle
    Rennes, France
    > -----Original Message-----
    > From: Nate Campi [mailto:nateat_private]
    > Sent: Monday, January 27, 2003 11:35 PM
    > To: Rainer Gerhards
    > Cc: loganalysisat_private
    > Subject: Re: [logs] Re: Reliably detecting things like the 
    > SQL worm....
    > Rainer Gerhards(rgerhardsat_private)@Mon, Jan 27, 2003 
    > at 09:47:03PM +0100:
    > > 
    > > The QoS is an interesting point. But back to my question: DID syslog
    > > work under attack or not? Any experience or samples on that? I mean
    > > real-world ones...
    > Yes, mine did. My production networks have a "front" network for
    > internet traffic, a "middle" net for server-to-server traffic, and a
    > "back" net for administrative traffic. Syslog flowing over the
    > administrative net (over TCP) was fine, even when the front-net might
    > have been melting down (I'm not saying it was, that might be private
    > information).
    > OBTW, we'd probably be better with just a front-net and a mid-net, the
    > extra burden of maintaining a third network doesn't really seem to be
    > paying off (IMO, others around here may disagree).
    > -- 
    > Nate Campi  Wired UNIX Operations  TerraLycos DNS Operations
    > Perl - The only language that looks the same before and after RSA
    > encryption.  -Keith Bostic  
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 08:54:46 PST