Date: Mon, 19 Feb 2001 09:28:42 +1100 From: Tony Landells <ahl@austclear.com.au> To: Brian Reichert <reichert@numachi.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Remote logging Message-ID: <200102182228.JAA22169@tungsten.austclear.com.au> In-Reply-To: Message from Brian Reichert <reichert@numachi.com> of "Sun, 18 Feb 2001 17:07:53 CDT." <20010218170753.A85795@numachi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> To develop this further: people trying to handle these issues have > _multiple_ networks. Each important (public) host has two NICs > and is on both. > > The loghost is on that private 'administrative' network, and is > locked down to death. Along with any terminal servers, backup > servers, etc. These are machines that are the support structure > of your LAN. If you allow logins at all, you would have in place > strict access controls. > > Mind you, if one of the dual-homed hosts gets compromised, then > the attacker could take steps to congest that administrative network, > or congest the loghost. That's where an adaptive switch comes in, > however you implement that. One way I was thinking of doing this at one stage was to set up a "stealth" filtering box which was configured as a bridge (it didn't even have IP addresses), and basically let almost all traffic straight through, except syslog stuff which it punted to a special machine off to the side which did the logging (which could even be duplicating an internal IP address, given that the filtering box wasn't doing layer 3 routing). At the time I had been looking at ipfilter, but I think ipfw has all the bits that are needed. > > So, despite the secure log host, he might not get the valuable > > info he needs. I suppose you could then start speculating a break in if > > there are no more MARKs since syslogd is dead. > > I'm not certain which syslogd you're referring to, here. I assume he's referring to the "mark" facility, which causes syslogd to generate messages every twenty minutes. Cheers, Tony -- Tony Landells <ahl@austclear.com.au> Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102182228.JAA22169>