RE: [logs] Logging in the DMZ

From: Safier, Adam * (Safier@private)
Date: Mon Feb 09 2004 - 06:20:48 PST

  • Next message: Rainer Gerhards: "RE: [logs] Logging in the DMZ"

    If you lose the DMZ with option 2 then you could also lose your logs.  My
    philosophy is that only things that have to be seen by the outside world
    should live in the first DMZ.  This does work nicely if you happen to have a
    second DMZ for "specialized" equipment.  Sometimes you get lucky and have an
    extra port on firewalls that can have multiple parallel zones.
    
    If you lose your DMZ with option 1 your database server becomes vulnerable
    to attack via the database ports. Sometimes a database could use multiple
    ports after the initial connection which can make tracking a pain.  You have
    to worry about the database vulnerabilities and patching a bit more.  Of
    course, since you should worry about it anyway for internal user hacking it
    may not make a difference.
    
    Personally, I like the idea of logging to a parsing program.  While updating
    a database it should check for buffer overflows and other data boundaries.
    Of course, if you really trust the database programmers you can just let the
    database do the checking, in which case I would pick #1 and watch for
    database patches like a hawk.
    
    Adam
    
    -----Original Message-----
    From: bmcdowell@private [mailto:bmcdowell@private]
    
    1)  Use database logging, where possible, and forward that to an internal
    server.
    2)  Put a db and syslog server in the DMZ and do my best to secure it.
    
    Has anyone on the list dealt with this same issue?  I'd really appreciate a
    dialogue here, meanwhile I'm going to continue checking out this cool new
    site.
    
    
    Thanks,
    
    Bob
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 09:39:20 PST