"C. Cooke" wrote: > > On Thu, 15 Jun 2000, Marcin Owsiany wrote: > > > Depends on your exact mail setup, I think. Maybe make a script that would > > download the logs to some other box using scp and mail them locally then to > > your account's mailbox. If you're downloading mail via POP to some other > > box, you may do it via an ssh tunnel. > > Not the best way, I think... make a script that connects *to* the firewall > with scp, and pulls the logs off it - if you have a script on the firewall > that can automatically copy files to a remote site, then anyone who > manages to get into the firewall automatically has a shell acount on that > remote site... wheras with proper defensive programming, a script that > pulls the data *from* the firewall remains safe, even if the data is > tampered with. > > Of course, you then have a "free" account on the firewall, but if you > create an RSA keyset that is *only* used for that *one* firewall, it > should be secure.
Hmm... of course (once again) it does depend on your network architecture. For example, I'm leaning towards the "glorified router" firewall, where the firewall routes between the internet, a semi-public perimeter network, and the internal network. Port redirection is used to map real services into bastion hosts in the perimeter network. Therefore (correct me if I'm wrong, I'm fat on literature and skinny on experience) the most likely victims of an attack will be the bastion servers, not the firewall itself. In fact, the firewall becomes the most important part of the architecture, since it is preventing access to the (presumably very insecure, all full of nfs and nis and smb oh my) internal network from both the outside world and the semisecure perimeter network. Kind of a "put all your eggs in one basket, but make a very good basket" design. You only need one or two user accounts on the firewall, and can really restrict root access. You don't run any services other than perhaps sshd. So in that case, you would want absolutely no access info stored on the bastions, but having access info stored on the firewall would probably be ok - after all, if they've broken into the firewall they have full network access (sniffers etc.) anyway. On the other hand, if your firewall also serves as the bastion server and runs daemons, then your strategy makes more sense. -- Paul Reavis [EMAIL PROTECTED] Design Lead Partner Software, Inc. http://www.partnersoft.com
