1999-08-17-03:11:01 Vin McLellan:
> I like Mr. Todd's heavy-duty (off-line audit) approach, but I have
> a slightly less burdensome alternative (or complement) to suggest. I've
> been urging my clients to consider crypto-enhanced audit logs: irreversible
> updating to log files with a one-way function, at a minimum.... Maybe with
> an option to write logs to a WORM drive? Maybe with a timestamp in the
> digest?
>
> Anyone got any comments? Cautions or suggestions for implementation?
> Hashed digests or digital signatures?
In <URL:http://www.counterpane.com/secure-logs.html> Bruce Schneier and John
Kelsey present an algorithm for adding crypto tamper-resistence to logfiles.
However, I think a simpler solution is often appropriate. I am a keen fan of
protected, archived logs, kept for a long time. I like simply gathering them
onto a hardened host.
I fondly remember a potentially nasty situation where the day was saved by
logs. We had a little configuration error on a terminal server; the intent was
that it should answer the phone, give a login prompt, demand a SecurID
authentication, and then, after letting the user get to the terminal server
prompt, either let them telnet to a machine inside the firm or else let them
start up PPP. The first attempt to get this config working produced a setup
where the terminal server would listen for a PPP handshake while the plain
login prompt was out there, and not demand any authentication at all to come
in with PPP. Ick. Worse, it was months before this was discovered. Double ick.
When we discovered it, we fixed the config error, then were able to analyze
access logs and phone records over the time that the hole was open,
correlating login accesses with known originating phone numbers. A few people
were surprised when we contacted them to ask why they had logged in from such
and so place at this time on that day, but in every case it turned out to be
people travelling.
Crypto signed logs are a nice frill to have in the toolbox, but as far as I
can see many cases are adequately covered by hardened log-gathering hosts. The
biggest problem I've yet to address is that (a) it's hard to replace syslog on
many systems, since Unix vendors are fond of embedded weird, undocumented
backdoors and hooks into syslog, and (b) standard syslog does remote logging
via UDP with no attempt at congestion management or lost packet
retransmission. Wouldn't it be nice if there were a really reliable TCP
logging protocol, suitable for gathering massive amounts of log data into a
single secure logging server.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
