On Wed, 12 Jun 2002, Ben Nagy wrote:
level) and a tamper-evident log auditor. [1] For other OS's - we need
to have indelible log generation. Simply sending those messages out as
Let's not forget that the OS running the services may not need to be the
only OS running (Don't know how much UML
Engineering
CyberGuard Corporation Northeast Region
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Ben Nagy
Sent: Wednesday, June 12, 2002 5:07 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: firewall logging
Importance: High
You tell me
In response to Ron DuFresne:
Baltimore's UniCERT product is designed to be a root CA and the digital
signing of the log entry by its agent software upon creation of the log
entry will meets the legal requirements for providing
trustworthiness. Baltimore also operates a commercial CA if an
On Tue, 11 Jun 2002, Marc E. Mandel wrote:
In response to Ron DuFresne:
Baltimore's UniCERT product is designed to be a root CA and the digital
signing of the log entry by its agent software upon creation of the log
entry will meets the legal requirements for providing
trustworthiness.
]]
Sent: Wednesday, June 12, 2002 5:27 AM
To: 'Ben Nagy'; [EMAIL PROTECTED]
Subject: RE: firewall logging
(I don't know that I want to post this on the list, since I'm
a lurking FW vendor, but pass it on if you deem it fit.)
Just as an FYI, The CyberGuard Firewalls have a binary
encoded
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Ron DuFresne
Sent: Wednesday, June 12, 2002 8:40 AM
To: Marc E. Mandel
Cc: [EMAIL PROTECTED]
Subject: RE: firewall logging
On Tue, 11 Jun 2002, Marc E. Mandel wrote:
In response to Ron
Ben Nagy wrote:
[will make you breakfast, wash your car and still have time to broker a
peace deal between India and Pakistan]
... extracts the private key from the Baltimore UniCERT server, just
as it is in the process of whipping up another ham omlette
Bwhahaha! Da capo, da capo! :)
Let me give you a scenario. I, Unlucky Ben, have just left XYZCorp
after
a disagreement with my manager. Said manager, Evil Bill, decides to
have
the last word. Having access to all the servers, Evil Bill extracts
the
private key from the Baltimore UniCERT server, just as it is in the
On Wed, 12 Jun 2002, Ben Nagy wrote:
I'll put all this more simpy - every scheme to provide authenticated
logs needs to use something secret. If it's onsite, then the secret
isn't safe, and the logs just can't be trusted by an outsider.
I think it's possible to do up a scheme with a TCB that
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Paul D. Robertson
Sent: Wednesday, June 12, 2002 1:44 PM
To: Ben Nagy
Cc: [EMAIL PROTECTED]
Subject: RE: firewall logging
On Wed, 12 Jun 2002, Ben Nagy wrote:
I'll put all this more simpy
On Wed, Jun 12, 2002 at 11:06:52AM +0200, Ben Nagy wrote:
I'm sure that your mechanism is smarter than that, but I'm still
asserting that it's just a bigger hurdle.
The idea is, to have the log server physically protected from insiders. It
is a log sink and not more. Administration of that
Mikael Olsson wrote:
Bwhahaha! Da capo, da capo! :)
Whoops. I meant for that to be off-list. Ohwell; now I get
to bug all of you twice ;)
___
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password,
On Wed, 12 Jun 2002, Ben Nagy wrote:
I don't think I have to go that far. I can probably subvert the OS
through whatever the ultimate root account is, get the key from RAM and
fiddle the HDD logs and then spam the flash log (multiple power events,
Sorry, you don't get the ultimate
I guess to try and get something half useful out of all this we should
recap.
There are three sets of problems.
At the log generator(s): verification, log authenticity and log
continuity. Ideally we want records that we can say are genuine, and
haven't been added to or elided. We can't do that
Ben Nagy wrote:
I'll believe it all when someone makes a firewall
like that, though. ;)
You do realize that someone will now go put together a box that they'll
sprinkle some orange book fairy dust(tm) over, certify according
to RSSHYNARI-2002 [1], claim that it does exactly the above
In response to Ben Nagy's 06/08/2002 message that asked:
I see the need for evidence quality data, but I can't see how
incorporating signatures in that way would go any way towards making
data more courtworthy. To cheat, I just fake the logs on my firewall,
sign them (because I have the private
: 0x1A86E304
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Marc E. Mandel
Sent: Tuesday, June 11, 2002 6:12 PM
To: [EMAIL PROTECTED]
Subject: RE: firewall logging
In response to Ben Nagy's 06/08/2002 message that asked:
I see the need
On Tue, 11 Jun 2002, Marc E. Mandel wrote:
In response to Ben Nagy's 06/08/2002 message that asked:
I see the need for evidence quality data, but I can't see how
incorporating signatures in that way would go any way towards making
data more courtworthy. To cheat, I just fake the logs on my
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Paul Krumviede
[...]
I would have looked at using a simple HMAC with shared
secrets (or at
least offering it as an option) to make things shorter and
easier on
CPUs (but then I'm not an IETF
Kevin Steves wrote:
I'm tending to think TCP syslog over SSL/TLS would be a good
thing to have.
Yeah, I've sort of been thinking along the same lines myself. (Along
with using a remote-only syslog receiver that doesn't need to bind
the local domain sockets or whatever the OS flavour
-Original Message-
From: Mikael Olsson [mailto:[EMAIL PROTECTED]]
[...]
Kevin Steves wrote:
I'm tending to think TCP syslog over SSL/TLS would be a good thing
to have.
Good, but expensive thing. Syslog over TCP over SSL would be much
tougher on the CPU for smaller devices -
--On Friday, 07 June, 2002 10:26 +0200 Ben Nagy [EMAIL PROTECTED] wrote:
-Original Message-
From: Mikael Olsson [mailto:[EMAIL PROTECTED]]
[...]
Kevin Steves wrote:
I'm tending to think TCP syslog over SSL/TLS would be a good thing
to have.
Yeah, I've sort of been thinking
I don't know if it suits you, but at my company we use a
central syslog server and some free tools (some home made)
to process logs and generate summary reports and exception traps.
On Cisco, it's quite easy to forward all logs to a central syslog
server. For fw-1, we use "fw log -ft | logger
Check out WebTrends.
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com
On Wed, 23 Jun 1999 [EMAIL PROTECTED] wrote:
Hi all!
I´m currently training myself in the Firewalls-Topic, and was wondering how
you keep track of all the different logfiles... every vendor seems to
24 matches
Mail list logo