If you lose the DMZ with option 2 then you could also lose your logs. My philosophy is that only things that have to be seen by the outside world should live in the first DMZ. This does work nicely if you happen to have a second DMZ for "specialized" equipment. Sometimes you get lucky and have an extra port on firewalls that can have multiple parallel zones. If you lose your DMZ with option 1 your database server becomes vulnerable to attack via the database ports. Sometimes a database could use multiple ports after the initial connection which can make tracking a pain. You have to worry about the database vulnerabilities and patching a bit more. Of course, since you should worry about it anyway for internal user hacking it may not make a difference. Personally, I like the idea of logging to a parsing program. While updating a database it should check for buffer overflows and other data boundaries. Of course, if you really trust the database programmers you can just let the database do the checking, in which case I would pick #1 and watch for database patches like a hawk. Adam -----Original Message----- From: bmcdowell@private [mailto:bmcdowell@private] 1) Use database logging, where possible, and forward that to an internal server. 2) Put a db and syslog server in the DMZ and do my best to secure it. Has anyone on the list dealt with this same issue? I'd really appreciate a dialogue here, meanwhile I'm going to continue checking out this cool new site. Thanks, Bob _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 09:39:20 PST