From owner-freebsd-security Sun Feb 18 14:28:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 8381D37B401 for ; Sun, 18 Feb 2001 14:28:44 -0800 (PST) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA81840; Mon, 19 Feb 2001 09:28:43 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA22169; Mon, 19 Feb 2001 09:28:42 +1100 (EST) Message-Id: <200102182228.JAA22169@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Brian Reichert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Remote logging In-Reply-To: Message from Brian Reichert of "Sun, 18 Feb 2001 17:07:53 CDT." <20010218170753.A85795@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 19 Feb 2001 09:28:42 +1100 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > To develop this further: people trying to handle these issues have > _multiple_ networks. Each important (public) host has two NICs > and is on both. > > The loghost is on that private 'administrative' network, and is > locked down to death. Along with any terminal servers, backup > servers, etc. These are machines that are the support structure > of your LAN. If you allow logins at all, you would have in place > strict access controls. > > Mind you, if one of the dual-homed hosts gets compromised, then > the attacker could take steps to congest that administrative network, > or congest the loghost. That's where an adaptive switch comes in, > however you implement that. One way I was thinking of doing this at one stage was to set up a "stealth" filtering box which was configured as a bridge (it didn't even have IP addresses), and basically let almost all traffic straight through, except syslog stuff which it punted to a special machine off to the side which did the logging (which could even be duplicating an internal IP address, given that the filtering box wasn't doing layer 3 routing). At the time I had been looking at ipfilter, but I think ipfw has all the bits that are needed. > > So, despite the secure log host, he might not get the valuable > > info he needs. I suppose you could then start speculating a break in if > > there are no more MARKs since syslogd is dead. > > I'm not certain which syslogd you're referring to, here. I assume he's referring to the "mark" facility, which causes syslogd to generate messages every twenty minutes. Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message