---------- Forwarded message ---------- Date: Mon, 9 Feb 2004 16:06:56 -0800 (PST) From: Tina Bird <tbird@precision-guesswork.com> To: bmcdowell@private Subject: RE: [logs] Logging in the DMZ On Mon, 9 Feb 2004 bmcdowell@private wrote: > What bugs me the most about option #1 is someone exploiting the hole in the firewall for something other than my database server. The risk of this is somewhat low, but if successfully leveraged it would mean circumventing the internal firewall, which would be bad... > one of the advantages to UDP syslog is that you can implement a stealth logging system, that captures syslog data by collecting broadcast traffic. if you want to really minimize visibility to systems in your DMZ, that might be something to look at. here's a broad overview: http://www.linuxjournal.com/modules.php?op=modload&name=NS-lj-issues/issue92&file=5476s2 basically, you pick a "fake" IP address for the apparent address of the DMZ logserver. all boxes in the DMZ get a static ARP entry for a fake MAC addr to go with the fake IP address. then you put an interface with no IP address in promiscuous mode and collect anything destined for UDP/514 on the apparent loghost. you can use tcpdump or snort or whatever you like to reassemble the syslog data out of the packets. i think JP vossen has info on how to use snort for this on his web site, but i'm having trouble tracking it down anywhere... _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 16:10:56 PST