RE: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)

• Previous message: Rainer Gerhards: "RE: [logs] Re: Reliably detecting things like the SQL worm...."
• Next in thread: Bennett Todd: "Re: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)"
• Reply: Bennett Todd: "Re: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A change of direction here.  For those of you who incorporate an
architecture like was described from Nate, how do you make sure that the
"middle" or "back" network is not used as a conduit for a compromised system
to compromise other systems?  I'm getting an impression from Nate's
description that the "middle" and "back" networks are continuous.

What I mean is that you have machines A and B with three interfaces, 1
(front),2 (middle), and 3 (back) where the middle LAN interface on machine B
would be notated B2.  Now lets suppose that machine A is a web server and
machine B is a database server and machine A gets compromised.  How do you
make sure that the middle or back LANs comprised of A2 and B2 or A3 and B3
respectively isn't used to compromise server B?  Use a firewall, and then
how do you subdivide?

Ron Ogle
Rennes, France

> -----Original Message-----
> From: Nate Campi [mailto:nateat_private]
> Sent: Monday, January 27, 2003 11:35 PM
> To: Rainer Gerhards
> Cc: loganalysisat_private
> Subject: Re: [logs] Re: Reliably detecting things like the 
> SQL worm....
> 
> 
> Rainer Gerhards(rgerhardsat_private)@Mon, Jan 27, 2003 
> at 09:47:03PM +0100:
> > 
> > The QoS is an interesting point. But back to my question: DID syslog
> > work under attack or not? Any experience or samples on that? I mean
> > real-world ones...
> 
> Yes, mine did. My production networks have a "front" network for
> internet traffic, a "middle" net for server-to-server traffic, and a
> "back" net for administrative traffic. Syslog flowing over the
> administrative net (over TCP) was fine, even when the front-net might
> have been melting down (I'm not saying it was, that might be private
> information).
> 
> OBTW, we'd probably be better with just a front-net and a mid-net, the
> extra burden of maintaining a third network doesn't really seem to be
> paying off (IMO, others around here may disagree).
> -- 
> Nate Campi  Wired UNIX Operations  TerraLycos DNS Operations
> 
> Perl - The only language that looks the same before and after RSA
> encryption.  -Keith Bostic  
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Bennett Todd: "Re: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)"
• Previous message: Rainer Gerhards: "RE: [logs] Re: Reliably detecting things like the SQL worm...."
• Next in thread: Bennett Todd: "Re: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)"
• Reply: Bennett Todd: "Re: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 08:54:46 PST