From owner-freebsd-security  Tue Feb 20  2:30:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from harrier.prod.itd.earthlink.net (harrier.prod.itd.earthlink.net [207.217.121.12])
	by hub.freebsd.org (Postfix) with ESMTP id 5B45A37B4EC
	for <freebsd-security@FreeBSD.ORG>; Tue, 20 Feb 2001 02:30:41 -0800 (PST)
	(envelope-from dhagan@colltech.com)
Received: from colltech.com (1Cust48.tnt3.clarksburg.wv.da.uu.net [63.15.38.48])
	by harrier.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA21065;
	Tue, 20 Feb 2001 02:30:30 -0800 (PST)
Message-ID: <3A9247FD.F6C68145@colltech.com>
Date: Tue, 20 Feb 2001 05:33:33 -0500
From: Daniel Hagan <dhagan@colltech.com>
X-Mailer: Mozilla 4.73 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: cjclark@alum.mit.edu
Cc: "Edward W. M." <edward_wm@hotmail.com>, fbsdsec@killaz-r-us.com,
	freebsd-security@FreeBSD.ORG
Subject: Re: Fw: Remote logging
References: <LC4-LFD3tgx8VUkRacU0000021d@hotmail.com> <3A91EE6A.82EBBC37@colltech.com> <20010219232503.T62368@rfx-216-196-73-168.users.reflex>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Crist J. Clark" wrote:
> On Mon, Feb 19, 2001 at 11:11:22PM -0500, Daniel Hagan wrote:
> > You need
> > MACs to prevent forging, which isn't available in the default syslog.
> 
> MACs can be easily forged by local machines. MAC information is not
> normally accessible to programs anyway. You could not use "regular"
> UDP socket programming. Crypto or physical security is the only
> practical way to secure locally. And since crypto also works
> remotely...

MAC == Message Authentication Code in the above paragraph.  I'm not sure
if that's how you read it or not (were you thinking 802.3?).

> It is easy to notice when packets stop coming. The attacker loses if
> the data stops. No need to guarantee delivery.

Right, but if the attacker can stop the reset messages and forge the
mark messages, then all's clear as far as the loghost is concerned.  If
your systems are setup w/ the default mark intervals, that gives the
attacker 20 minutes to penetrate the system, compromise syslog, and
start up bogus mark messages.  Maybe not 'easy' but certainly doable.  

I like some of the ideas you proposed in your other post (dh keys,
etc.).

Daniel

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message