RE: [logs] Logging in the DMZ

• Previous message: Rainer Gerhards: "RE: [logs] Logging in the DMZ"
• Maybe in reply to: bmcdowell@private: "[logs] Logging in the DMZ"
• Next in thread: bmcdowell@private: "RE: [logs] Logging in the DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for the quick reply.

What bugs me the most about option #1 is someone exploiting the hole in the firewall for something other than my database server.  The risk of this is somewhat low, but if successfully leveraged it would mean circumventing the internal firewall, which would be bad...

Thanks for the recommendation.  I think you may be right.


Bob

-----Original Message-----
From: Safier, Adam * [mailto:Safier@private]
Sent: Monday, February 09, 2004 8:21 AM
To: Bob McDowell; loganalysis@private
Subject: RE: [logs] Logging in the DMZ


If you lose the DMZ with option 2 then you could also lose your logs.  My
philosophy is that only things that have to be seen by the outside world
should live in the first DMZ.  This does work nicely if you happen to have a
second DMZ for "specialized" equipment.  Sometimes you get lucky and have an
extra port on firewalls that can have multiple parallel zones.

If you lose your DMZ with option 1 your database server becomes vulnerable
to attack via the database ports. Sometimes a database could use multiple
ports after the initial connection which can make tracking a pain.  You have
to worry about the database vulnerabilities and patching a bit more.  Of
course, since you should worry about it anyway for internal user hacking it
may not make a difference.

Personally, I like the idea of logging to a parsing program.  While updating
a database it should check for buffer overflows and other data boundaries.
Of course, if you really trust the database programmers you can just let the
database do the checking, in which case I would pick #1 and watch for
database patches like a hawk.

Adam

-----Original Message-----
From: bmcdowell@private [mailto:bmcdowell@private]

1)  Use database logging, where possible, and forward that to an internal
server.
2)  Put a db and syslog server in the DMZ and do my best to secure it.

Has anyone on the list dealt with this same issue?  I'd really appreciate a
dialogue here, meanwhile I'm going to continue checking out this cool new
site.


Thanks,

Bob
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: bmcdowell@private: "RE: [logs] Logging in the DMZ"
• Previous message: Rainer Gerhards: "RE: [logs] Logging in the DMZ"
• Maybe in reply to: bmcdowell@private: "[logs] Logging in the DMZ"
• Next in thread: bmcdowell@private: "RE: [logs] Logging in the DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 10:59:02 PST