I think the issue of a switch is indeed important. If you go for a stealth server, I would probably insist on using a hub for connecting it. I think if you really go for the added security, a probably better way is to actually set up a syslogd with a real address - one that is running and listening, that can be attacked and that appears to be live because it is life. Let the attackers hack that box. Then, connect this box via a hub to the central switch. On the same hub, connect your stealth syslogd, the one that shall not be hacked and not be seen. So you create the impression of a live syslogd while you actually use a stealth device to keep track of things. Comparing log entries on the visible and the invisible box may also be quite interesting ;) Rainer > -----Original Message----- > From: Michael Batchelder [mailto:piranhabros@private] > Sent: Tuesday, February 10, 2004 7:31 AM > To: loganalysis@private > Subject: [logs] RE: Logging in the DMZ > > In regards to the stealth log server setup... While I haven't > ever done this (the thought of spewing log packets out lots of > ports makes me nervous), just reading the descriptions people > have posted or linked to, I think I'll throw in this tidbit. It > might a no-brainer for folks, but in any case... > > So let's say you are using a bogus IP address in syslog.conf + > hard-coding a MAC address-to-IP address mappings in the hosts > generating the logs to get the packets onto the wire. Remember > that if said wire is connected into a switch, which is often the > case, then the configuration of the switch can play a role. (I > see the LinuxJournal article did not address this, and assumed > layer 2 connectivity was provided by a *hub*, which simplifies > things greatly.) > > With a switch, the needed behavior--broadcasting the log packets > to ALL ports--is possible because a switch which has not learned > which port to map a given MAC address will be in "learning" mode > and may broadcast the packet to all ports, thus acting like a > hub. But that behavior is configuration-dependent, and the > heavier the iron, the more ways things get switched. So a Cisco > 29XX or 35XX is fairly straightforward, but if your DMZ segment > is a VLAN off a 6509, you may be doing more funky things that > could impact your ability to broadcast in the general direction > of the syslog server... And even 29XX's have modes for port > security and such that may do stuff to unicast packets w/unknown > MAC addresses. Since you're hardcoding MAC addys in the hosts, > might want to do it in the switch too. Caveat administrator. > > Binky > > __________________________________ > Do you Yahoo!? > Yahoo! Finance: Get your refund fast by filing online. > http://taxes.yahoo.com/filing.html > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Feb 10 2004 - 09:25:38 PST