On Mon, 9 Feb 2004, Raffael Marty wrote:
> If you do this, you might want to also use a one-way patch-cable that
> allows packets to only flow from the DMZ _to_ your log server. That way
> you don't even have to use a "fake" IP address for the log host. The
> advantage is that there is no way to compromise that system. [okay,
> there is, if someone would manage to exploit the syslog daemon and ... -
> let's not go there]. This is also the way you can setup your NIDS, just
> attach it to the same cable!
you can do this >also<, but it doesn't eliminate the need for the apparent
IP address. the apparent address is what gets put into the machines on
the DMZ that will be generating the logs -- it's what gets them onto the
wire so the stealth server can sniff them.
the stealth server remains invisible no matter what kind of cable you're
using, because it doesn't need to have an address visible on the DMZ.
sorry i didn't explain it more clearly -- i'm continuing to look for a
better reference for the idea, and hoping i don't have to write it!
cheers -- tbird
--
It doesn't have to be our fault to be our responsibility.
-- Paul Robertson
http://www.precision-guesswork.com
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 18:57:10 PST