Date: Tue, 20 Feb 2001 05:33:33 -0500 From: Daniel Hagan <dhagan@colltech.com> To: cjclark@alum.mit.edu Cc: "Edward W. M." <edward_wm@hotmail.com>, fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <3A9247FD.F6C68145@colltech.com> References: <LC4-LFD3tgx8VUkRacU0000021d@hotmail.com> <3A91EE6A.82EBBC37@colltech.com> <20010219232503.T62368@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote: > On Mon, Feb 19, 2001 at 11:11:22PM -0500, Daniel Hagan wrote: > > You need > > MACs to prevent forging, which isn't available in the default syslog. > > MACs can be easily forged by local machines. MAC information is not > normally accessible to programs anyway. You could not use "regular" > UDP socket programming. Crypto or physical security is the only > practical way to secure locally. And since crypto also works > remotely... MAC == Message Authentication Code in the above paragraph. I'm not sure if that's how you read it or not (were you thinking 802.3?). > It is easy to notice when packets stop coming. The attacker loses if > the data stops. No need to guarantee delivery. Right, but if the attacker can stop the reset messages and forge the mark messages, then all's clear as far as the loghost is concerned. If your systems are setup w/ the default mark intervals, that gives the attacker 20 minutes to penetrate the system, compromise syslog, and start up bogus mark messages. Maybe not 'easy' but certainly doable. I like some of the ideas you proposed in your other post (dh keys, etc.). Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A9247FD.F6C68145>