On Mon, 17 Jan 2005, Dave Ewart wrote:
We're doing the classic DMZ 'three-armed' network layout, nothing comes
Ah good.
directly into GREEN; the DMZ will house the publically-accessible servers.
Cool.
Oh, yes, I agree - by GREEN I mean the local private network of course. My use of 'outgoing' was misleading ... :-)
Ah so you were asking about allowing udp/514 from the DMZ into the internal GREEN network. Like all security decisions this is a risk assessment.
Overall I would not consider this a moderate risk given that you are only allowing access from the DMZ but anything allowed to connect to hosts on the GREEN network is potentially a hazard. Someone cracking a box in the DMZ may feed bogus information to syslogd (no way around that) or may try to DoS syslogd on the log host even if they can't actually brake into the GREEN network.
If you were really paranoid you could have a 4th leg with the log host in it ;)
Cheers,
Rob-- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Phone: 416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest (www.spi-inc.org)
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
