--On Friday, 07 June, 2002 10:26 +0200 Ben Nagy <[EMAIL PROTECTED]> wrote:
>> -----Original Message----- >> From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > [...] >> >> Kevin Steves wrote: >> > >> > I'm tending to think TCP syslog over SSL/TLS would be a good thing >> > to have. > >> Yeah, I've sort of been thinking along the same lines myself. (Along >> with using a remote-only syslog receiver that doesn't need to bind >> the local domain sockets or whatever the OS flavour uses for >> local event delivery.) Are you aware of a syslog receiver >> that actually supports encrypted and authenticated logs? > > If you're aiming at secure syslog here then there's lots of work done > already - the IETF even have a WG at: > http://www.ietf.org/html.charters/syslog-charter.html > > Their current syslog-sign proposes a digital sig using PKI. Personally I > would have looked at using a simple HMAC with shared secrets (or at > least offering it as an option) to make things shorter and easier on > CPUs (but then I'm not an IETF s00perbrane - I'm sure they didn't for a > reason.)The reliable-delivery paper offers reliable delivery over UDP or > TCP, with different degrees of frills on each. there has been discussion of wanting to use syslog data for "evidentiary" purposes, and that this would seem to require signing, rather than use of some form of (keyed) MAC. there is also the fun of key distribution for a keyed MAC. but there was, and i believe still is, interest in use of a MAC as an alternative (but this is not (yet?) a working group item). there seems to be an open source implementation of the reliable syslog delivery profile as part of a BEEP implementation. > For firewalls, though, an SSH tunnel might be an even easier way to do > it - SSH is designed to tunnel random sockets, so wouldn't even require > that you hack the apps. > > If you want to get really simple, just run IPSec (or v6) between your > firewall and log receiver, run AH only, and buy IPSec NICs - don't you > get instant integrity and replay detection, then? I'd like to see every > device on the Internal segments talking with AH IPSec anyway, for a > variety of reasons. I guess it won't traverse NAT so well, so the SSH > thing might be a better quick fix for sending stuff over the Internet. as a side comment: there has been discussion of deprecating AH (use ESP with authentication and one can use a null crypto-transform) on the IPsec working group mailing list... and NAT traversal may be possible. -paul _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
