Date: Mon, 19 Feb 2001 23:25:03 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Daniel Hagan <dhagan@colltech.com> Cc: "Edward W. M." <edward_wm@hotmail.com>, fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <20010219232503.T62368@rfx-216-196-73-168.users.reflex> In-Reply-To: <3A91EE6A.82EBBC37@colltech.com>; from dhagan@colltech.com on Mon, Feb 19, 2001 at 11:11:22PM -0500 References: <LC4-LFD3tgx8VUkRacU0000021d@hotmail.com> <3A91EE6A.82EBBC37@colltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 19, 2001 at 11:11:22PM -0500, Daniel Hagan wrote: > "Edward W. M." wrote: [snip] > There are also issues involving forging packets from a third host. > Syslog uses UDP after all, so the source information can be forged from > machines on at least the same subnet in many/most situations. You need > MACs to prevent forging, which isn't available in the default syslog. MACs can be easily forged by local machines. MAC information is not normally accessible to programs anyway. You could not use "regular" UDP socket programming. Crypto or physical security is the only practical way to secure locally. And since crypto also works remotely... > Since UDP is unreliable, you also are spending a lot of effort on > getting packets onto the wire even though you can't guarantee they will > be delivered to the loghost. It is easy to notice when packets stop coming. The attacker loses if the data stops. No need to guarantee delivery. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010219232503.T62368>