[lug] logs

[D. Stimits]

Sean Reifschneider wrote:
> 
> On Mon, Jul 30, 2001 at 12:49:27AM -0600, D. Stimits wrote:
> >Don't forget that if you use UDP, and the firewall is breached, you will
> >lose the second machine if it is not also maintained with very good
> 
> How so?  I'm not aware of any exploits against current syslogd versions, so
> allowing the server to send packets to the UDP port used by syslogd on the
> client shouldn't allow remote compromise.  Sure they could dump a bunch of
> stuff to your local syslog, but at least you won't lose the record of the
> compromise.

The point is in the statement about no "exploits against current
syslogd". An older version would be cracked. And I'm sure that one day,
another exploit of it will be found...that'll be the same day the
cracker breaks the firewall machine (one of Murphy's laws). More
important, the machine behind the firewall, if you expect firewall
breach, needs to be treated as if it is in a militarized zone, even if
it is "safe" until the firewall is breached. Logging to an otherwise
open machine that is directly attached to the breached machine is a bit
like the saying of skating on thin ice. The log machine, if it is to
avoid breach, must be better secured than the firewall that got taken
out in the first place. Sending logs via email to a machine that is
completely isolated from the breached machine is a way to do that
(separate machines with no direct interface).

D. Stimits, stimits at idcomm.com

> 
> I must have misunderstood what you were saying...
> 
> Sean
> --
>  Let's just say that your monkeys aren't quite typing Shakespeare.
>    -- Sean Reifschneider, speaking about Quicken support, 2001
> Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug