> -----Original Message----- > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] [...] > > Kevin Steves wrote: > > > > I'm tending to think TCP syslog over SSL/TLS would be a good thing > > to have.
Good, but expensive thing. Syslog over TCP over SSL would be much tougher on the CPU for smaller devices - I'm not an implementor, but I'm sure someone can also do the math on the longer TCP header, plus the SSL packet and CPU overhead. You'd have a nasty situation where people could DoS devices just by making them send many syslog messages. Fine for firewalls, which have big brains, but maybe not so good for things like routers (which are often also part of the "firewall" external security apparatus). Overall, I think that running a protocol that is better designed to deal with things like reliable delivery, message integrity, replay detection etc would be preferred. > Yeah, I've sort of been thinking along the same lines myself. (Along > with using a remote-only syslog receiver that doesn't need to bind > the local domain sockets or whatever the OS flavour uses for > local event delivery.) Are you aware of a syslog receiver > that actually supports encrypted and authenticated logs? If you're aiming at secure syslog here then there's lots of work done already - the IETF even have a WG at: http://www.ietf.org/html.charters/syslog-charter.html Their current syslog-sign proposes a digital sig using PKI. Personally I would have looked at using a simple HMAC with shared secrets (or at least offering it as an option) to make things shorter and easier on CPUs (but then I'm not an IETF s00perbrane - I'm sure they didn't for a reason.)The reliable-delivery paper offers reliable delivery over UDP or TCP, with different degrees of frills on each. For firewalls, though, an SSH tunnel might be an even easier way to do it - SSH is designed to tunnel random sockets, so wouldn't even require that you hack the apps. If you want to get really simple, just run IPSec (or v6) between your firewall and log receiver, run AH only, and buy IPSec NICs - don't you get instant integrity and replay detection, then? I'd like to see every device on the Internal segments talking with AH IPSec anyway, for a variety of reasons. I guess it won't traverse NAT so well, so the SSH thing might be a better quick fix for sending stuff over the Internet. > -- > Mikael Olsson, Clavister AB It looks like Steve Bellovin is a key part of the IETF effort, so I've cc'ed him, in case he has some words of wisdom for us (he used to lurk here anyway). And those are my random thoughts. Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls