Firewall Wizards mailing list archives

Re: "Dropsafe" logs

From: Robert Graham <robert_david_graham () yahoo com>
Date: Fri, 9 Apr 1999 14:17:57 -0700 (PDT)

--- Roelof JT Jonkman <rjonkman () ittc ukans edu> wrote:

Syslogs are UDP, as such they don't require a response from the host that
receives. (As opposed to TCP which does require a two street to function)
Given that what you could do is simple have an ethernet cable with the 
transmit pair of your dropbox clipped. Depends a little on the ethernet card,
but some of em need to be fumbled with in order to get em to understand that
its ok to work without a carrier at the peer. (Or the hub/switch.)

That would be my solution to a dropbox. Fancy version would be one that
has two interfaces, so you could tie it to your internal network, and process
logs from there on, completely safe. The only drawback is that a Denial of 
Service is still possible, a malicious individual still could flood your 
syslog port on the dropbox and clobber the real logs that way. 

When you eliminated the change of a cracker modifying the logs, you sort of 
have the freedom to do whatever is convenient as far as storage goes.


I also think that an indepedent drop-box is the best solution.

I would eliminate the hub described in the above scenario and use a direct cross-over cable
between the two machines. (a hub just invites other people to attach equipment to it). This
implies that you add an Ethernet card to your original system to act as your serial port to your
drop box.

If you snip the wire to force one-way traffic (a good idea), remember that you'll have to
hard-code your ARP table.

I would NOT put the drop-box on the corporate network. That serial connection should be the only
connection. Hackers breaking through the firewall can then turn around and hack this system. Write
the logs to CD-ROM, then transfer them.

CD-ROMs can be written in "multi-session" mode, at a cost of about 20-mbytes per session. However,
with your drop box, just write evey 650-mbytes. For long term storage, current hard drives cost
about 3x CD-ROMs, but you could just as easily log things to disk, then swap in a new disk every
time it fills up.

The prices are (as monitored by what I bought at Frys this week):
1. 10.1 gig hard disk, $164
2. 50-pack spindle of CD-R disks, $59

Rob.




_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

"Dropsafe" logs Scott Crawford (Apr 08)
- Re: "Dropsafe" logs Roelof JT Jonkman (Apr 08)
- Re: "Dropsafe" logs Jim Laverty (Apr 10)
- Re: "Dropsafe" logs Joseph S D Yao (Apr 10)
- <Possible follow-ups>
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 08)
- RE: "Dropsafe" logs Frank W. Keeney (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- Re: "Dropsafe" logs Bret McDanel (Apr 10)
- RE: "Dropsafe" logs Russ (Apr 10)
- Re: "Dropsafe" logs Robert Graham (Apr 10)
- Re: "Dropsafe" logs Steven M. Bellovin (Apr 10)
- Re: "Dropsafe" logs Info Security Office - ITS - Yale Univ. (Apr 10)