Firewall Wizards mailing list archives
Re: "Dropsafe" logs
From: Robert Graham <robert_david_graham () yahoo com>
Date: Fri, 9 Apr 1999 14:17:57 -0700 (PDT)
--- Roelof JT Jonkman <rjonkman () ittc ukans edu> wrote:
Syslogs are UDP, as such they don't require a response from the host that receives. (As opposed to TCP which does require a two street to function) Given that what you could do is simple have an ethernet cable with the transmit pair of your dropbox clipped. Depends a little on the ethernet card, but some of em need to be fumbled with in order to get em to understand that its ok to work without a carrier at the peer. (Or the hub/switch.) That would be my solution to a dropbox. Fancy version would be one that has two interfaces, so you could tie it to your internal network, and process logs from there on, completely safe. The only drawback is that a Denial of Service is still possible, a malicious individual still could flood your syslog port on the dropbox and clobber the real logs that way. When you eliminated the change of a cracker modifying the logs, you sort of have the freedom to do whatever is convenient as far as storage goes.
I also think that an indepedent drop-box is the best solution. I would eliminate the hub described in the above scenario and use a direct cross-over cable between the two machines. (a hub just invites other people to attach equipment to it). This implies that you add an Ethernet card to your original system to act as your serial port to your drop box. If you snip the wire to force one-way traffic (a good idea), remember that you'll have to hard-code your ARP table. I would NOT put the drop-box on the corporate network. That serial connection should be the only connection. Hackers breaking through the firewall can then turn around and hack this system. Write the logs to CD-ROM, then transfer them. CD-ROMs can be written in "multi-session" mode, at a cost of about 20-mbytes per session. However, with your drop box, just write evey 650-mbytes. For long term storage, current hard drives cost about 3x CD-ROMs, but you could just as easily log things to disk, then swap in a new disk every time it fills up. The prices are (as monitored by what I bought at Frys this week): 1. 10.1 gig hard disk, $164 2. 50-pack spindle of CD-R disks, $59 Rob. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- "Dropsafe" logs Scott Crawford (Apr 08)
- Re: "Dropsafe" logs Roelof JT Jonkman (Apr 08)
- Re: "Dropsafe" logs Jim Laverty (Apr 10)
- Re: "Dropsafe" logs Joseph S D Yao (Apr 10)
- <Possible follow-ups>
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 08)
- RE: "Dropsafe" logs Frank W. Keeney (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- RE: "Dropsafe" logs Russ (Apr 10)
- Re: "Dropsafe" logs Robert Graham (Apr 10)
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 10)
- Re: "Dropsafe" logs Info Security Office - ITS - Yale Univ. (Apr 10)