On Thu, Jun 06, 2002 at 09:55:44AM +0200, Ben Nagy wrote:
> SNMP doesn't offer confidentiality, is brittle against concerted attack,
> runs on UDP which makes spoofing trivial, and is so complex that a large
> proportion of the SNMP implementations have had problems recently (and
> they ran fine and were considered "good" for years). In addition, to
> manage any firewall you need an app designed specifically for it (to
> handle all the set requirements) which puts you right back in the
> "specialised app" camp, except using probably the worst communications
> channel anyone could think of - I mean _damn_ I'd rather use telnet than
> SNMP - at least it's TCP which makes it harder to spoof!
logging is what i've been thinking of lately (again). PIX supports
what is basically syslog over TCP. i'm tending to think TCP syslog
over SSL/TLS would be a good thing to have.
are everyone's syslogd's running root still? Owl's syslogd can
drop root privs.
some of my thoughts from around 1998:
Using syslog as a Generic Event Transport Mechanism
Kevin Steves <[EMAIL PROTECTED]>
Summary
There are many advantages to deploying a unified event transport
mechanism within an application infrastructure. For example, event
correlation and reporting can be performed at a central location.
This brief proposes a methodology where syslog is utilized as a
generic event transport mechanism.
syslog
On Unix systems, logging has traditionally been handled via syslog. A
syslog daemon runs which receives log messages from both local and
remote syslog clients. For remote syslog messages, UDP port 514 is
used. Many non-Unix systems support syslog, for example Cisco IOS can
send log and other messages to a syslog server. There is also
software that can be installed on Windows NT to transmit NT event logs
to a remote syslog server. [1]
One disadvantage of syslog is that it uses UDP, which is not a
reliable transport protocol, so it is a possible to lose log messages.
This risk may be reduced by logging to multiple syslog servers
simultaneously, and retaining log messages locally for some period of
time.
Applications that utilize a local log file (they don't use syslog)
can be handled by a script that sends the messages via the logger
script (a command line syslog client) to the log server(s).
Other Events
We can use this mechanism to transmit any type of event from a host to
the log server for event correlation and analysis. For example, we
can write a script to transmit interface in and out octet counts for
input to MRTG [2]; with this strategy we do not have to install an
SNMP agent on the bastion host. Other statistical information can be
gathered and sent, such as performance metrics (sar output and run
queue values) and disk space utilization etc.
Security Analysis
Since the syslog server(s) may be deployed behind or within a
multi-layered security perimeter, they may be points of attack via the
syslog channel. syslog servers typically run with root privilege on
Unix systems; it may be possible to remove that privilege requirement,
for example by changing the system privileged UDP port range, or
running the server on an OS with finer grained privileges than UID 0.
If FireWall-1 is utilized as a filter along the syslog path or route,
a paranoid syslog service can be created and used in the rulebase
which may greatly reduce the possibility of successful attacks via the
syslog channel. If we make some assumptions about having an ethernet
MTU along the entire path, and the fact that no syslog implementation
we are aware of tranports greater than 1024 byte messages (UDP
payload), we can create a new service object with the following
INSPECT code:
paranoid-syslog:
ip_p=17,uh_dport=514,ip_len<1065,(ip_off=0 or ip_off=0x04000)
The IP datagram length should be < 1065 bytes (IP header 20, UDP
header 20, max payload 1024) and we should never see a fragmented
datagram. The preceding code enforces that policy.
References
[1] NT syslog client software
NTsyslog (free with GNU license):
http://www.sabernet.net/software/ntsyslog.html
EvntSLog (shareware, $20 per host with quantity discounts):
http://www.adiscon.de/EvntSLog/main.asp
[2] Multi Router Traffic Grapher
http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html
........................................................................
$Id: syslog.txt,v 1.5 2000/07/11 17:04:20 stevesk Exp $
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
