Dan & David, TCP (Reliable) Syslog is a PIX feature.
When the TCP Syslog server stops responding the PIX stops passing traffic. It doesn't crash (at least mine doesn't and it is not supposed to). In our implementation the server stops responding when OS signals that the disk is full. Our Syslog server implementation is not supposed to crash the PC when the disk goes full. Other implementations of the TCP Syslog server (that I have seen) have other features to control how that Syslog server response works. >My earlier reply was really to say that you >should think carefully about using TCP for syslog on the PIX as there as >some risks involved - for instance, if you're running an e-commerce site >that relies on the web server being accessible 24/7 then you might not >want connections to be stopped when the syslog server has a problem, >you're willing to risk not recording logs in order to allow your customers >to continue buying your products. Blindly using TCP syslogging without >consideration could render your public services unreachable in the event >of a problem with the syslog server which becomes a single point of >failure in the system. Excellent point. And it raises the risk management issue: "Do business" or "Do business with some audit trail"? And if I've hacked your e-commerce site and I want to obscure my trail I would want to either destroy or otherwise render that log useless. TCP syslog takes away one means of doing that and insures that I have some data. If someone hacks the firewall log file (tries to delete it or copy over it with an empty file) and the Syslog server burps, the firewall stops processing traffic. Liberty for All, Brian At 10:10 AM 12/19/2001 -0800, [EMAIL PROTECTED] wrote: >Message: 9 >From: "Daniel Crichton" <[EMAIL PROTECTED]> >Organization: Computer Manuals Ltd. >To: [EMAIL PROTECTED] >Date: Wed, 19 Dec 2001 11:46:39 -0000 >Subject: Re: Re: PIX logging setup help >Reply-To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] > >On 19 Dec 2001 at 3:13, [EMAIL PROTECTED] wrote: > > > It seems to me that running out of log space *should* not be a > > normal condition, and might indicate a deliberate hostile attempt to > > disable logging. Whether one wants to continue to permit connections > > with logging disabled is a policy decision that might very well go > > either way, although I'd expect those who'd prefer TCP to UDP for > > syslog would tend to incline to the more defensive option. > >In our case it was due to the machine used for syslog having not enough >space. It also caused the PIX to stop when it crashed - if you use TCP for >syslogging on the PIX make sure your syslog server is very robust! > > > In a perfect universe, the choice of whether to continue permitting > > traffic when logging is known to have failed could be a separate > > option, orthogonal to whether one choses to use a connection-based > > protocol for logs (although the choice cannot meaningfully be made > > with a connectionless protocol...). > > But, short of such perfection, I think this is quite likely to be a > > deliberate and defensible design decision by Cisco, rather than a > > known bug, defect, or oversight. > >I understand why Cisco has included this feature - in some circumstances >it is desirable to prevent access to your network if your are unable to >record what is happening. My earlier reply was really to say that you >should think carefully about using TCP for syslog on the PIX as there as >some risks involved - for instance, if you're running an e-commerce site >that relies on the web server being accessible 24/7 then you might not >want connections to be stopped when the syslog server has a problem, >you're willing to risk not recording logs in order to allow your customers >to continue buying your products. Blindly using TCP syslogging without >consideration could render your public services unreachable in the event >of a problem with the syslog server which becomes a single point of >failure in the system. > >Dan >--- >D.C. Crichton email: [EMAIL PROTECTED] >Senior Systems Analyst tel: +44 (0)121 706 6000 >Computer Manuals Ltd. fax: +44 (0)121 606 0477 > >Computer book info on the web: > http://computer-manuals.co.uk/ >Want to earn money? Join our affiliate network! > http://computer-manuals.co.uk/affiliate/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
