[lug] logs

Sean Reifschneider jafo at tummy.com
Tue Jul 31 01:04:14 MDT 2001


On Tue, Jul 31, 2001 at 12:52:33AM -0600, D. Stimits wrote:
>Just a sample of separation. Not a good sample. But would you suggest
>that an exact copy of the cracked firewall is a good place to hold logs,

If it's firewall rules allow *ONLY* port 540/udp traffic from the logging
source machine, you're probably ok in 99.9% of the cases, which means that
over all you're better off, and worst case you're no worse off than if the
logs resided on the machine broken in to...

It's about trade-offs...  You can set up this really elaborate system that
falls down in many cases, may expose you to different vulnerabilities,
possibly is sending sensitive data to a third-party system (somone tries
logging in and accidentally types their password in place of the login
and that's logged, for example).  That *MAY* be a gain in 99.99% of the
situation, as long as the added complexity doesn't actually decrease the
overall reliability.

Simply setting up syslog on another machine may give you 40% better
security for very little cost.  Setting up syslog on a machine that's
really locked down may give you 99.9% with minimal complexity.

The setting up of syslog on another machine's worst case is that you're no
worse off than if your logs were local.  Setting up the logs to be mailed
to another machine that's only reachable via your ISP can allow another
point for intrusion as outlined above, so in that case you're actually
WORSE off in the worst case...

It's all a very complex dance...

Sean
-- 
 A computer lets you make more mistakes faster than any invention in human
 history -- with the possible exceptions of handguns and tequila.
                 -- Mitch Ratcliffe
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python



More information about the LUG mailing list