RE: [logs] Logging in the DMZ

From: bmcdowell@private
Date: Mon Feb 09 2004 - 10:47:16 PST

  • Next message: bmcdowell@private: "RE: [logs] Logging in the DMZ"

    Thanks for the quick reply.
    
    What bugs me the most about option #1 is someone exploiting the hole in the firewall for something other than my database server.  The risk of this is somewhat low, but if successfully leveraged it would mean circumventing the internal firewall, which would be bad...
    
    Thanks for the recommendation.  I think you may be right.
    
    
    Bob
    
    -----Original Message-----
    From: Safier, Adam * [mailto:Safier@private]
    Sent: Monday, February 09, 2004 8:21 AM
    To: Bob McDowell; loganalysis@private
    Subject: RE: [logs] Logging in the DMZ
    
    
    If you lose the DMZ with option 2 then you could also lose your logs.  My
    philosophy is that only things that have to be seen by the outside world
    should live in the first DMZ.  This does work nicely if you happen to have a
    second DMZ for "specialized" equipment.  Sometimes you get lucky and have an
    extra port on firewalls that can have multiple parallel zones.
    
    If you lose your DMZ with option 1 your database server becomes vulnerable
    to attack via the database ports. Sometimes a database could use multiple
    ports after the initial connection which can make tracking a pain.  You have
    to worry about the database vulnerabilities and patching a bit more.  Of
    course, since you should worry about it anyway for internal user hacking it
    may not make a difference.
    
    Personally, I like the idea of logging to a parsing program.  While updating
    a database it should check for buffer overflows and other data boundaries.
    Of course, if you really trust the database programmers you can just let the
    database do the checking, in which case I would pick #1 and watch for
    database patches like a hawk.
    
    Adam
    
    -----Original Message-----
    From: bmcdowell@private [mailto:bmcdowell@private]
    
    1)  Use database logging, where possible, and forward that to an internal
    server.
    2)  Put a db and syslog server in the DMZ and do my best to secure it.
    
    Has anyone on the list dealt with this same issue?  I'd really appreciate a
    dialogue here, meanwhile I'm going to continue checking out this cool new
    site.
    
    
    Thanks,
    
    Bob
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 10:59:02 PST