Firewall Wizards mailing list archives

Re: "Dropsafe" logs

From: "Roelof JT Jonkman" <rjonkman () ittc ukans edu>
Date: Thu, 08 Apr 1999 10:59:19 -0500

Scott,

Syslogs are UDP, as such they don't require a response from the host that
receives. (As opposed to TCP which does require a two street to function)
Given that what you could do is simple have an ethernet cable with the 
transmit pair of your dropbox clipped. Depends a little on the ethernet card,
but some of em need to be fumbled with in order to get em to understand that
its ok to work without a carrier at the peer. (Or the hub/switch.)

That would be my solution to a dropbox. Fancy version would be one that
has two interfaces, so you could tie it to your internal network, and process
logs from there on, completely safe. The only drawback is that a Denial of 
Service is still possible, a malicious individual still could flood your 
syslog port on the dropbox and clobber the real logs that way. 

When you eliminated the change of a cracker modifying the logs, you sort of 
have the freedom to do whatever is convenient as far as storage goes.

roel,   Good.... Bad... I'm the guy with root.

Current thread:

"Dropsafe" logs Scott Crawford (Apr 08)
- Re: "Dropsafe" logs Roelof JT Jonkman (Apr 08)
- Re: "Dropsafe" logs Jim Laverty (Apr 10)
- Re: "Dropsafe" logs Joseph S D Yao (Apr 10)
- <Possible follow-ups>
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 08)
- RE: "Dropsafe" logs Frank W. Keeney (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- RE: "Dropsafe" logs Russ (Apr 10)
- Re: "Dropsafe" logs Robert Graham (Apr 10)
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 10)
- Re: "Dropsafe" logs Info Security Office - ITS - Yale Univ. (Apr 10)